This study addresses adversarial poisoning attacks in retrieval-augmented generation (RAG) recommendation systems, where malicious tampering with metadata (e.g., tags, descriptions) degrades recommendation integrity. We propose the first metadata-level poisoning framework tailored to RAG recommenders. Methodologically, we design a dual-strategy black-box attack—comprising local (BERT-personalized tag perturbation) and global (unified tag substitution) variants—and evaluate it on MovieLens using LLM-generated metadata, OpenAI embeddings, and BERT-based semantic encoding. Key contributions include: (1) the first empirical demonstration that popular items are significantly more vulnerable to metadata poisoning than long-tail items; (2) a 50% improvement in attack efficacy under the local strategy; (3) identification of widespread metadata sparsity—approximately 70% of items lack descriptive tags—exacerbating cold-start vulnerabilities; and (4) validation that data augmentation and synthetic metadata generation constitute viable defensive countermeasures.

This study presents Poison-RAG, a framework for adversarial data poisoning attacks targeting retrieval-augmented generation (RAG)-based recommender systems. Poison-RAG manipulates item metadata, such as tags and descriptions, to influence recommendation outcomes. Using item metadata generated through a large language model (LLM) and embeddings derived via the OpenAI API, we explore the impact of adversarial poisoning attacks on provider-side, where attacks are designed to promote long-tail items and demote popular ones. Two attack strategies are proposed: local modifications, which personalize tags for each item using BERT embeddings, and global modifications, applying uniform tags across the dataset. Experiments conducted on the MovieLens dataset in a black-box setting reveal that local strategies improve manipulation effectiveness by up to 50%, while global strategies risk boosting already popular items. Results indicate that popular items are more susceptible to attacks, whereas long-tail items are harder to manipulate. Approximately 70% of items lack tags, presenting a cold-start challenge; data augmentation and synthesis are proposed as potential defense mechanisms to enhance RAG-based systems' resilience. The findings emphasize the need for robust metadata management to safeguard recommendation frameworks. Code and data are available at https://github.com/atenanaz/Poison-RAG.