When Poison Fails After Retrieval: Revisiting Corpus Poisoning under Chunking and Reranking Pipelines

Researchers demonstrate that existing corpus poisoning attacks against RAG systems fail significantly after reranking stages, revealing a critical gap between retrieval-stage attacks and real-world multi-stage pipelines. They propose CRCP, a new poisoning framework that accounts for document chunking and reranking to achieve higher attack success rates across realistic retrieval configurations.

This research addresses a fundamental vulnerability in how RAG systems are evaluated versus how they operate in production. Current poisoning studies assume simplified single-stage retrieval, but real systems employ multiple filtering layers—chunking documents into smaller passages, dense retrieval, semantic reranking, and final generation—that substantially degrade malicious payload effectiveness. The findings reveal that document-level adversarial signals fragment during chunking, while rerankers prioritize locally coherent passages over globally manipulated semantic similarity, creating a natural defense mechanism researchers previously overlooked.

The CRCP framework represents a significant advancement in understanding attack-defense dynamics for RAG systems. By modeling chunking transformations and reranker behavior during poisoning optimization, the approach generates adversarial passages that remain effective across variable chunking sizes and different reranking strategies. This multi-stage thinking reflects how modern AI systems actually operate, with multiple specialized components handling different aspects of retrieval and ranking.

For the broader AI security landscape, these findings expose a realism gap in current threat modeling. Many published poisoning attacks may overestimate practical risk because they don't account for pipeline robustness mechanisms that naturally emerge in production systems. However, the CRCP results also demonstrate that sophisticated attackers can adapt to these defenses, suggesting an ongoing arms race. Organizations deploying RAG systems should recognize that chunking strategies and reranker selection function as implicit security layers, not merely engineering choices. Conversely, those developing poisoning-resistant systems need to consider multi-stage consistency rather than protecting individual retrieval components in isolation. This research strengthens RAG system security evaluation methodology and highlights the importance of studying realistic, end-to-end pipelines rather than isolated components.

• →Existing corpus poisoning attacks lose 30-50% effectiveness after reranking due to chunking fragmentation and reranker behavior
• →Document-level adversarial signals fail to maintain coherence when split into smaller chunks, undermining attack viability
• →CRCP framework optimizes poisoning across all retrieval pipeline stages, achieving substantially higher success rates
• →Chunk size and reranker selection function as implicit security mechanisms in production RAG systems
• →Current RAG security evaluation overlooks multi-stage pipeline robustness, creating misleading threat assessments