Retrieval-Augmented Generation (RAG) systems are vulnerable to corpus poisoning attacks that manipulate downstream model outputs through malicious knowledge injection. Existing studies mainly evaluate poisoning under simplified retrieval settings, overlooking practical RAG pipelines involving document chunking, dense retrieval, reranking, and grounded generation. In this paper, we revisit corpus poisoning under realistic multi-stage retrieval pipelines and show that many existing attacks substantially degrade after reranking despite achieving high retrieval-stage relevance. We identify retrieval granularity mismatch as a key reason for this failure: document-level adversarial signals are often fragmented during chunking, while rerankers favor locally coherent and answer-bearing passages rather than globally optimized semantic similarity. Based on this observation, we propose Chunk-aware and Rerank-Consistent Poisoning (CRCP), a poisoning framework that jointly optimizes retrieval relevance, reranker consistency, and chunk-boundary robustness. CRCP explicitly models chunking transformations during optimization to generate locally self-contained adversarial passages that remain effective under varying chunking configurations. Experiments on standard RAG benchmarks with multiple retrievers and rerankers show that existing poisoning methods are highly sensitive to chunk size and reranking strategies, whereas CRCP achieves substantially higher attack success rates and stronger robustness across realistic retrieval pipelines. Our findings highlight an important realism gap in current RAG security evaluation and suggest that poisoning in modern RAG systems should be studied as a multi-stage retrieval consistency problem rather than a retrieval-only problem.

翻译：检索增强生成（RAG）系统易受语料投毒攻击，这类攻击通过恶意知识注入操纵下游模型输出。现有研究主要在简化的检索设置下评估投毒效果，却忽视了涵盖文档分块、稠密检索、重排序和基于阅读器的生成等实际RAG流水线。本文重新审视了真实多阶段检索流水线中的语料投毒，发现尽管许多现有攻击在检索阶段实现了高相关性，但在重排序后攻击效果显著下降。我们将检索粒度不匹配确定为这种失效的关键原因：文档级对抗信号在分块时往往被碎片化，而重排序器更偏好局部连贯且包含答案的段落而非全局优化后的语义相似性。基于这一发现，我们提出分块感知与重排序一致的投毒（CRCP）框架，该框架联合优化检索相关性、重排序一致性和分块边界鲁棒性。CRCP在优化过程中显式建模分块变换，生成局部自洽的对抗性段落，使其在不同分块配置下仍保持有效性。在标准RAG基准上使用多种检索器和重排序器的实验表明，现有投毒方法对分块大小和重排序策略高度敏感，而CRCP在真实检索流水线中实现了显著更高的攻击成功率和更强的鲁棒性。我们的发现揭示了当前RAG安全评估中存在的现实性差距，表明现代RAG系统中的投毒应作为多阶段检索一致性问题而非单纯检索问题进行研究。