Why does bidirectional RAG amplify the risk of corpus poisoning attacks?
This explores why a RAG system that writes its own generated answers back into its retrieval corpus (bidirectional RAG) opens a wider door to poisoning than a read-only one — and what the corpus says about closing it.
This reads the question as being about the feedback loop, not the retrieval step alone: ordinary RAG only reads from a fixed corpus, but bidirectional RAG also *writes* generated answers back into it, so any bad content that slips in doesn't just produce one wrong answer — it becomes a future source that gets retrieved, cited, and built upon. The corpus frames this directly: Can RAG systems safely learn from their own generated answers? describes systems that grow their own knowledge base during use, and the entire reason they gate write-back behind entailment checks, source attribution, and novelty detection is that without those gates, a single hallucination or injected document compounds. The amplification is the loop — read, generate, write, re-read — turning a one-shot attack into a self-reinforcing one.
What makes this worse is that the things you'd write back are exactly the things that are hard to verify. Do frontier LLMs silently corrupt documents in long workflows? shows that even frontier models silently corrupt roughly a quarter of document content across long relay workflows, with errors compounding rather than plateauing — which is precisely the dynamic a write-back loop creates if generation quality isn't gated. And Where do retrieval systems fail and why? argues retrieval failure is architectural: embeddings measure association, not relevance, so a poisoned document that's merely *similar* to a query will surface regardless of whether it's true. Bidirectional RAG keeps feeding that flawed retriever new material it helped author.
The attacker's job also gets easier because poison is sticky. How much poisoned training data survives safety alignment? found that poisoning as small as 0.1% of training data survives safety alignment for denial-of-service, context-extraction, and belief-manipulation attacks. The analogy for a corpus is sharp: once a poisoned passage is written into a retrieval store, there's no alignment pass scrubbing it — it just sits there waiting to be retrieved. Worse, the verification step itself can be gamed: Can LLM judges be fooled by fake credentials and formatting? shows LLM judges fall for fake authority signals and rich formatting with zero model access, so if your write-back gate is an LLM checking 'is this trustworthy?', an attacker can dress poison up to pass.
The corpus does point at defenses, and they cluster around containment rather than detection-after-the-fact. Can we defend RAG systems from corpus poisoning without retraining? offers retrieval-time guards — partition-aware retrieval that bounds how much any one poisoned document can influence an answer, and token-masking that flags documents whose similarity collapses abnormally. Can RAG systems refuse to answer without reliable evidence? takes the opposite-but-complementary tack: refuse to answer at all without grounded evidence, trading coverage for integrity. Both matter more in a bidirectional system because the cost of a bad answer is no longer one bad answer — it's a permanent corpus entry.
The thing worth taking away: the danger of bidirectional RAG isn't that it can be poisoned — every RAG system can. It's that the write-back loop converts the corpus from a static target into a *cultivated* one, where the system's own mistakes and an attacker's injections both accumulate and amplify across cycles. That's why the credible designs (Can RAG systems safely learn from their own generated answers?) spend almost all their engineering on the gate between 'generated' and 'stored,' not on generation quality itself.
Sources 7 notes
Systems can add generated answers to their retrieval corpus when outputs pass entailment verification, source attribution checks, and novelty detection. This prevents hallucinations from polluting future retrievals while allowing genuine knowledge accumulation.
Testing 19 models across 52 domains shows even advanced systems degrade documents by ~25% over extended relay tasks, with errors compounding silently without plateauing through 50 round-trips.
RAG systems fail at three structural levels: adaptive triggering (fixed intervals waste context), semantic-task mismatch (embeddings measure association, not relevance), and mathematical limits (embedding dimension constrains representable document sets). These require fundamentally different retrieval approaches, not tuning.
Denial-of-service, context extraction, and belief manipulation attacks persist through standard safety alignment at 0.1% poisoning rates, while jailbreaking attacks are successfully suppressed, contradicting sleeper agent persistence hypotheses.
Research identified four evaluation biases in LLM judges, with authority and beauty biases being semantics-agnostic and trivially exploitable through fake references and formatting—zero-shot attacks requiring no model access or optimization.
RAGPart and RAGMask provide lightweight, retraining-free defenses that operate at the retrieval layer. RAGPart bounds poisoned-document influence via partitioned retriever learning; RAGMask flags suspicious documents through abnormal similarity collapse under token masking.
A multilingual RAG system for noisy historical newspapers succeeds by aggressively expanding retrieval while constraining generation to only grounded answers. The grounded-refusal prompt prevents hallucination when OCR errors and language drift degrade source quality, trading coverage for integrity.