{"id":"https://openalex.org/W7160203706","doi":"https://doi.org/10.48550/arxiv.2605.00583","title":"Jailbreaking Vision-Language Models Through the Visual Modality","display_name":"Jailbreaking Vision-Language Models Through the Visual Modality","publication_year":2026,"publication_date":"2026-05-01","ids":{"openalex":"https://openalex.org/W7160203706","doi":"https://doi.org/10.48550/arxiv.2605.00583"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.00583","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.00583","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.00583","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5089485508","display_name":"Aharon Azulay","orcid":"https://orcid.org/0000-0003-4421-8477"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Azulay, Aharon","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135156558","display_name":"Jan Dubi\u0144ski","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Dubi\u0144ski, Jan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135109235","display_name":"Zhuoyun Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Zhuoyun","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135206772","display_name":"Atharv Mittal","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Mittal, Atharv","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5051101769","display_name":"Yossi Gandelsman","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Gandelsman, Yossi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":5,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9114999771118164,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9114999771118164,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.03970000147819519,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.00430000014603138,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/interpretability","display_name":"Interpretability","score":0.8263999819755554},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.6240000128746033},{"id":"https://openalex.org/keywords/modality","display_name":"Modality (human\u2013computer interaction)","score":0.5564000010490417},{"id":"https://openalex.org/keywords/analogy","display_name":"Analogy","score":0.492000013589859},{"id":"https://openalex.org/keywords/decoding-methods","display_name":"Decoding methods","score":0.39469999074935913},{"id":"https://openalex.org/keywords/encoding","display_name":"Encoding (memory)","score":0.387800008058548}],"concepts":[{"id":"https://openalex.org/C2781067378","wikidata":"https://www.wikidata.org/wiki/Q17027399","display_name":"Interpretability","level":2,"score":0.8263999819755554},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6672000288963318},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.6240000128746033},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5673999786376953},{"id":"https://openalex.org/C2780226545","wikidata":"https://www.wikidata.org/wiki/Q6888030","display_name":"Modality (human\u2013computer interaction)","level":2,"score":0.5564000010490417},{"id":"https://openalex.org/C521332185","wikidata":"https://www.wikidata.org/wiki/Q185816","display_name":"Analogy","level":2,"score":0.492000013589859},{"id":"https://openalex.org/C31972630","wikidata":"https://www.wikidata.org/wiki/Q844240","display_name":"Computer vision","level":1,"score":0.4255000054836273},{"id":"https://openalex.org/C57273362","wikidata":"https://www.wikidata.org/wiki/Q576722","display_name":"Decoding methods","level":2,"score":0.39469999074935913},{"id":"https://openalex.org/C125411270","wikidata":"https://www.wikidata.org/wiki/Q18653","display_name":"Encoding (memory)","level":2,"score":0.387800008058548},{"id":"https://openalex.org/C134400042","wikidata":"https://www.wikidata.org/wiki/Q2372244","display_name":"Symbol (formal)","level":2,"score":0.3774999976158142},{"id":"https://openalex.org/C36464697","wikidata":"https://www.wikidata.org/wiki/Q451553","display_name":"Visualization","level":2,"score":0.364300012588501},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.28220000863075256},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.2728999853134155},{"id":"https://openalex.org/C12713177","wikidata":"https://www.wikidata.org/wiki/Q1900281","display_name":"Perspective (graphical)","level":2,"score":0.2646999955177307},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.26440000534057617},{"id":"https://openalex.org/C79106606","wikidata":"https://www.wikidata.org/wiki/Q735197","display_name":"Afterimage","level":3,"score":0.25200000405311584}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.00583","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.00583","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.00583","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.00583","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.7385433912277222,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"The":[0],"visual":[1,30,71,79,95,121],"modality":[2],"of":[3],"vision-language":[4],"models":[5],"(VLMs)":[6],"is":[7],"an":[8,132],"underexplored":[9],"attack":[10,125,142],"surface":[11],"for":[12,50,131,165],"bypassing":[13],"safety":[14,98,107,166],"alignment.":[15],"We":[16],"introduce":[17],"four":[18],"jailbreak":[19],"attacks":[20,96],"exploiting":[21],"the":[22,54,74,141],"vision":[23,160],"component:":[24],"(1)":[25],"encoding":[26],"harmful":[27,39,51,59,114],"instructions":[28],"as":[29,161],"symbol":[31],"sequences":[32],"with":[33,41,67],"a":[34,86,102,162],"decoding":[35],"legend,":[36],"(2)":[37],"replacing":[38,58],"objects":[40],"benign":[42,68],"substitutes":[43],"(e.g.,":[44,63],"bomb":[45],"-&gt;":[46],"banana)":[47],"then":[48],"prompting":[49],"actions":[52],"using":[53],"substitute":[55],"term,":[56],"(3)":[57],"text":[60],"in":[61],"images":[62],"on":[64,127],"book":[65],"covers)":[66],"words":[69],"while":[70],"context":[72],"preserves":[73],"original":[75],"meaning,":[76],"and":[77,100,148],"(4)":[78],"analogy":[80],"puzzles":[81],"whose":[82],"solution":[83],"requires":[84,158],"inferring":[85],"prohibited":[87],"concept.":[88],"Evaluating":[89],"across":[90],"six":[91],"frontier":[92],"VLMs,":[93],"our":[94,120,138],"bypass":[97],"alignment":[99,104,157],"expose":[101],"cross-modality":[103],"gap:":[105],"text-based":[106],"training":[108],"does":[109],"not":[110],"automatically":[111],"generalize":[112],"to":[113],"intent":[115],"conveyed":[116],"visually.":[117],"For":[118],"example,":[119],"cipher":[122],"achieves":[123],"40.9%":[124],"success":[126],"Claude-Haiku-4.5":[128],"versus":[129],"10.7%":[130],"equivalent":[133],"textual":[134],"cipher.":[135],"To":[136],"further":[137],"insight":[139],"into":[140],"mechanism,":[143],"we":[144],"present":[145],"preliminary":[146],"interpretability":[147],"mitigation":[149],"results.":[150],"These":[151],"findings":[152],"highlight":[153],"that":[154],"robust":[155],"VLM":[156],"treating":[159],"first-class":[163],"target":[164],"post-training.":[167]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-05-05T00:00:00"}