Impact of prompt tuning and adversarial attacks on multimodal pragmatic jailbreak

The paper introduces multimodal pragmatic jailbreaks in diffusion-based text-to-image models, where images containing rendered typographic text can be safe when each modality is considered independently but unsafe when interpreted jointly. The authors construct the MPUP dataset of 1,200 prompts and show that nine representative models, including commercial systems, are vulnerable, with high attack success rates.

They evaluate common real-world defenses (prompt blocklists, semantic similarity checks, LLM-based prompt moderation, and image safety classifiers) and find unimodal defenses inadequate for detecting multimodal pragmatic unsafe content. In the limitations, the authors point out that the role of prompt tuning and adversarial attacks in this jailbreak context has not been studied, highlighting a concrete gap for future research.