Large Vision-Language Models (LVLMs) augmented with Retrieval-Augmented Generation (RAG) are increasingly employed in medical AI to enhance factual grounding through external clinical image-text retrieval. However, this reliance creates a significant attack surface. We propose MedThreatRAG, a novel multimodal poisoning framework that systematically probes vulnerabilities in medical RAG systems by injecting adversarial image-text pairs. A key innovation of our approach is the construction of a simulated semi-open attack environment, mimicking real-world medical systems that permit periodic knowledge base updates via user or pipeline contributions. Within this setting, we introduce and emphasize Cross-Modal Conflict Injection (CMCI), which embeds subtle semantic contradictions between medical images and their paired reports. These mismatches degrade retrieval and generation by disrupting cross-modal alignment while remaining sufficiently plausible to evade conventional filters. While basic textual and visual attacks are included for completeness, CMCI demonstrates the most severe degradation. Evaluations on IU-Xray and MIMIC-CXR QA tasks show that MedThreatRAG reduces answer F1 scores by up to 27.66% and lowers LLaVA-Med-1.5 F1 rates to as low as 51.36%. Our findings expose fundamental security gaps in clinical RAG systems and highlight the urgent need for threat-aware design and robust multimodal consistency checks. Finally, we conclude with a concise set of guidelines to inform the safe development of future multimodal medical RAG systems.

翻译：基于检索增强生成（RAG）的大型视觉语言模型（LVLMs）在医疗AI领域日益普及，其通过外部临床图文检索机制增强事实依据。然而，这种依赖性也构成了显著的攻击面。本文提出MedThreatRAG——一种新颖的多模态投毒框架，通过注入对抗性图文配对系统性地探测医疗RAG系统的脆弱性。本方法的核心创新在于构建了模拟半开放攻击环境，该环境复现了现实医疗系统中允许通过用户或流程贡献进行周期性知识库更新的场景。在此设定下，我们提出并重点研究跨模态冲突注入（CMCI）技术，该技术在医学图像与其配对报告间嵌入细微的语义矛盾。这种错配通过破坏跨模态对齐而降低检索与生成质量，同时保持足够的合理性以规避传统过滤器。虽然为完备性考量包含了基础文本与视觉攻击，但CMCI表现出最严重的性能退化。在IU-Xray和MIMIC-CXR QA任务上的评估表明，MedThreatRAG可使答案F1分数降低达27.66%，并将LLaVA-Med-1.5的F1率降至最低51.36%。我们的研究揭示了临床RAG系统存在的根本性安全缺陷，并凸显了威胁感知设计与鲁棒多模态一致性校验的迫切需求。最后，我们总结了一套简明指南，为未来多模态医疗RAG系统的安全开发提供参考。