Post-Cut Metadata Inference Attacks on Quantum Circuit Cutting Pipelines

Quantum circuit cutting enables near-term quantum devices to execute workloads exceeding their qubit capacity by decomposing circuits into independently runnable fragments. While this extends computational reach, it creates a previously unexplored confidentiality surface: the fragment-level execution transcript observable by a semi-honest cloud provider. We formalise this surface and demonstrate that post-cut transcripts constitute a practical metadata side channel. Operating solely on provider-visible compiled circuit metadata (fragment width, depth, and two-qubit gate count), we evaluate a structured inference attack across six classification objectives spanning algorithm identity, cut mechanism, and coarse Hamiltonian structure. Our corpus comprises 1,200 circuit fragments across eight algorithm families transpiled against three hardware topologies, validated on a 156-qubit production quantum computer confirming that QPU execution time remains invariant across a 25x variation in compiled depth. Under strict instance-disjoint generalisation, our attack recovers algorithm family with 0.960 accuracy (AUC 0.999), cut mechanism with 0.847 accuracy (AUC 0.924), and Hamiltonian k-locality with 0.960 accuracy (AUC 0.998). Connectivity and geometry inference achieve AUC of 0.986 and 0.942 with strong stability under size-holdout. Topology inference remains above chance (AUC 0.666). A matched-footprint control and ablation study confirm leakage is structure-dominated and not explained by scale artefacts. These results demonstrate that circuit cutting is not confidentiality-neutral and that metadata leakage should be treated as a first-class security concern in quantum cloud systems.