Hybrid Retrieval-Augmented Generation (RAG) pipelines combine vector similarity search with knowledge graph expansion for multi-hop reasoning. We show that this composition introduces a distinct security failure mode: a vector-retrieved "seed" chunk can pivot via entity links into sensitive graph neighborhoods, causing cross-tenant data leakage that does not occur in vector-only retrieval. We formalize this risk as Retrieval Pivot Risk (RPR) and introduce companion metrics Leakage@k, Amplification Factor, and Pivot Depth (PD) to quantify leakage magnitude and traversal structure. We present seven Retrieval Pivot Attacks that exploit the vector-to-graph boundary and show that adversarial injection is not required: naturally shared entities create cross-tenant pivot paths organically. Across a synthetic multi-tenant enterprise corpus and the Enron email corpus, the undefended hybrid pipeline exhibits high pivot risk (RPR up to 0.95) with multiple unauthorized items returned per query. Leakage consistently appears at PD=2, which we attribute to the bipartite chunk-entity topology and formalize as a proposition. We then show that enforcing authorization at a single location, the graph expansion boundary, eliminates measured leakage (RPR near 0) across both corpora, all attack variants, and label forgery rates up to 10 percent, with minimal overhead. Our results indicate the root cause is boundary enforcement, not inherently complex defenses: two individually secure retrieval components can compose into an insecure system unless authorization is re-checked at the transition point.

翻译：混合检索增强生成（RAG）管道将向量相似性搜索与知识图谱扩展相结合，以实现多跳推理。我们证明，这种组合引入了一种独特的安全失效模式：通过向量检索到的“种子”片段可以经由实体链接作为枢纽，进入敏感的图谱邻域，导致在纯向量检索中不会出现的跨租户数据泄漏。我们将此风险形式化为检索枢纽风险（RPR），并引入配套指标泄漏@k、放大因子和枢纽深度（PD）来量化泄漏程度与遍历结构。我们提出了七种利用向量-图谱边界的检索枢纽攻击，并表明无需对抗性注入：自然共享的实体即可有机地创建跨租户枢纽路径。在合成的多租户企业语料库和Enron电子邮件语料库中，未加防御的混合管道表现出高枢纽风险（RPR高达0.95），每次查询返回多个未授权项。泄漏一致地出现在PD=2处，我们将其归因于二分片段-实体拓扑结构，并将其形式化为一个命题。随后我们证明，在单一位置——图谱扩展边界——强制执行授权，即可在两个语料库、所有攻击变体以及高达10%的标签伪造率下，消除所测得的泄漏（RPR接近0），且开销极小。我们的结果表明，根本原因在于边界授权执行，而非本质上复杂的防御机制：两个各自安全的检索组件，除非在转换点重新检查授权，否则可能组合成一个不安全的系统。