The proliferation of retrieval-augmented generation (RAG) has established vector databases as critical infrastructure, yet they introduce severe privacy risks via embedding inversion attacks. Existing paradigms face a fundamental trade-off: optimization-based methods require computationally prohibitive queries, while alignment-based approaches hinge on the unrealistic assumption of accessible in-domain training data. These constraints render them ineffective in strict black-box and cross-domain settings. To dismantle these barriers, we introduce Zero2Text, a novel training-free framework based on recursive online alignment. Unlike methods relying on static datasets, Zero2Text synergizes LLM priors with a dynamic ridge regression mechanism to iteratively align generation to the target embedding on-the-fly. We further demonstrate that standard defenses, such as differential privacy, fail to effectively mitigate this adaptive threat. Extensive experiments across diverse benchmarks validate Zero2Text; notably, on MS MARCO against the OpenAI victim model, it achieves 1.8x higher ROUGE-L and 6.4x higher BLEU-2 scores compared to baselines, recovering sentences from unknown domains without a single leaked data pair.

翻译：检索增强生成（RAG）的广泛应用已使向量数据库成为关键基础设施，但它们也通过嵌入反演攻击引入了严重的隐私风险。现有方法面临一个根本性的权衡：基于优化的方法需要计算成本极高的查询，而基于对齐的方法则依赖于可获取域内训练数据这一不切实际的假设。这些限制使得它们在严格的黑盒和跨域场景中效果有限。为突破这些障碍，我们提出了Zero2Text——一种基于递归在线对齐的新型免训练框架。与依赖静态数据集的方法不同，Zero2Text将大语言模型先验知识与动态岭回归机制相结合，在生成过程中迭代地对齐目标嵌入。我们进一步证明，差分隐私等标准防御措施无法有效缓解这种自适应威胁。跨多个基准的广泛实验验证了Zero2Text的有效性；特别是在针对OpenAI受害模型的MS MARCO数据集上，其ROUGE-L分数较基线方法提升1.8倍，BLEU-2分数提升6.4倍，在未使用任何泄露数据对的情况下成功恢复了未知领域的句子。