Existing corpus poisoning attacks suffer significant performance degradation in real-world multi-stage retrieval-augmented generation (RAG) systems, primarily due to their neglect of the impact of document chunking and reranking on attack efficacy—particularly the mismatch between poisoning granularity and retrieval units, which often renders attacks ineffective. To address this, this work proposes the Chunk-aware and Rerank-Consistent Poisoning (CRCP) framework, which, for the first time, explicitly models chunking transformations and generates locally self-contained adversarial passages that jointly preserve dense retrieval relevance, reranker consistency, and robustness to chunk boundaries. Experimental results demonstrate that CRCP substantially improves attack success rates across multiple RAG benchmarks and maintains strong robustness under diverse chunking strategies and rerankers.

Retrieval-Augmented Generation (RAG) systems are vulnerable to corpus poisoning attacks that manipulate downstream model outputs through malicious knowledge injection. Existing studies mainly evaluate poisoning under simplified retrieval settings, overlooking practical RAG pipelines involving document chunking, dense retrieval, reranking, and grounded generation. In this paper, we revisit corpus poisoning under realistic multi-stage retrieval pipelines and show that many existing attacks substantially degrade after reranking despite achieving high retrieval-stage relevance. We identify retrieval granularity mismatch as a key reason for this failure: document-level adversarial signals are often fragmented during chunking, while rerankers favor locally coherent and answer-bearing passages rather than globally optimized semantic similarity. Based on this observation, we propose Chunk-aware and Rerank-Consistent Poisoning (CRCP), a poisoning framework that jointly optimizes retrieval relevance, reranker consistency, and chunk-boundary robustness. CRCP explicitly models chunking transformations during optimization to generate locally self-contained adversarial passages that remain effective under varying chunking configurations. Experiments on standard RAG benchmarks with multiple retrievers and rerankers show that existing poisoning methods are highly sensitive to chunk size and reranking strategies, whereas CRCP achieves substantially higher attack success rates and stronger robustness across realistic retrieval pipelines. Our findings highlight an important realism gap in current RAG security evaluation and suggest that poisoning in modern RAG systems should be studied as a multi-stage retrieval consistency problem rather than a retrieval-only problem.