CAREATTACK: Conflict-aware retriever edits for RAG attacks

CAREATTACK, a model-centric retriever attack framework, was introduced in an arXiv paper submitted on 16 Jun 2026 by Xinru Liu, Xianglong Zhang, Di Cai, Zhumin Chen, Pengfei Hu and Xin Xin. The method adapts parameter-editing techniques to dense retrieval models to move attacker-chosen passages above benign competitors in retrieval results and then applies a lightweight calibration step to limit collateral effects.

What is CAREATTACK and how does it work?

CAREATTACK is a two-stage attack that first edits a dense retriever to favor malicious passages, then repairs anchors to preserve non-target behavior. The paper describes a first stage called conflict-aware retriever editing that adapts closed-form parameter editing to dense retrieval, and a second stage named "attack-preserving anchor repair" that performs lightweight calibration on the edited retriever to remove unwanted impacts on non-target prompts while keeping the attack effective for targets.

Conflict-aware retriever editing uses graph-based conflict detection and a parameter-editing projection to resolve parameter conflicts that arise when promoting malicious knowledge above benign competing passages. The anchor repair step then fine-tunes only a small portion of the model to retain normal performance on non-target queries while preserving retrieval boosts for attacker-selected prompts and passages.

How was CAREATTACK evaluated?

The authors instantiated CAREATTACK on Qwen3-Embedding-0.6B and BGE-M3 and evaluated it on three benchmark datasets, showing the method can substantially increase the retrieval rank of attacker-chosen passages. Experimental results in the paper state the method "substantially promote[s] malicious passages into the retrieved knowledge of RAG systems" and that it can perform attacks for batches of target prompts and passages, provided an attacker has access to retrieval model parameters.

The paper emphasizes the attacker model requirement: CAREATTACK operates when an adversary is given access to the retrieval model parameters. The authors also publish code, noting that their codes are "public accessible at this https URL" in the paper's text, allowing replication of their experiments on the two instantiated retrievers and the three benchmark datasets.

Why it matters

Many retrieval-augmented generation systems rely on open-source dense retrievers. The paper points out that because most RAG systems are built upon open-source retrieval models, a model-centric editing technique like CAREATTACK exposes a practical attack surface: an adversary with parameter access can manipulate which evidence the generator sees. That changes the defender calculus away from solely protecting external corpora toward also protecting model parameters and the editing surface of retrievers.

What to watch

Monitor follow-up work that applies CAREATTACK to additional retriever architectures and benchmark suites, and look for defenses that restrict parameter editing or detect graph-identified conflicts. The authors provided executable code alongside the submission, so independent replication on other dense retrievers is the next concrete signal of how broadly this vector can be exploited.

Sources and specific data points: the paper was submitted to arXiv on 16 Jun 2026; the method was instantiated on Qwen3-Embedding-0.6B and BGE-M3; evaluation used three benchmark datasets; the paper names the two main stages as conflict-aware retriever editing and "attack-preserving anchor repair"; the authors state their code is publicly accessible at the linked URL.