pith. sign in

arxiv: 2605.27545 · v1 · pith:XDLWYNENnew · submitted 2026-05-26 · 💻 cs.CL

PAST2HARM: A Simple Adaptive Past Tense Attack for Jailbreaking Multimodal AI

Pith reviewed 2026-06-29 18:36 UTC · model grok-4.3

classification 💻 cs.CL
keywords jailbreakingmultimodal AItext-to-image modelspast tense attackAI safetyrefusal trainingadversarial promptsblack-box attacks
0
0 comments X

The pith

Past tense reformulations systematically jailbreak multimodal text-to-image models with success rates up to 100 percent.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents PAST2HARM as an adaptive framework that exploits past tense reformulations to bypass refusal training in multimodal generative models. It characterizes the attack through temporal deepening that incrementally strengthens historical and archival cues and iterative escalation that probes for increasingly severe harmful outputs after initial compliance. Evaluation on Gemini Nano Banana Pro, GPT Image 2, and SD XL yields black-box success rates of 83, 67, and 100 percent with cross-model transfer above 50 percent, producing outputs such as explicit sexual content, disinformation, and hate speech. A sympathetic reader would care because the results indicate that current alignment leaves multimodal systems open to simple linguistic adaptations that generate unsafe images. The work also releases a benchmark of prompts and outputs to support further red teaming.

Core claim

PAST2HARM achieves attack success rates of 83 percent, 67 percent, and 100 percent on Gemini Nano Banana Pro, GPT Image 2, and SD XL in a black-box gradient-free setting, with cross-model transfer above 50 percent. The attack systematically strengthens historical anchoring via temporal deepening and escalates harm after initial compliance, with peak vulnerability in mid-conversation turns before semantic inversion occurs. It elicits diverse harmful content including explicit sexual material, political disinformation, historical denial, hate speech, and self-harm glorification.

What carries the argument

The PAST2HARM framework, which applies temporal deepening to past tense reformulations and iterative escalation to erode refusal boundaries in multimodal text-to-image models.

If this is right

  • Current multimodal safeguards remain brittle against simple linguistic adaptations such as past tense reformulations.
  • Adversarial prompts generated by the attack transfer across different models with success above 50 percent.
  • Mid-conversation turns form peak vulnerability windows where harmfulness increases before plateauing.
  • Diverse harmful outputs including explicit sexual content and political disinformation can be elicited reliably.
  • Releasing a curated benchmark of prompts, reformulations, and outputs supports ongoing red teaming and alignment work.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Alignment methods may need explicit testing against historical and archival phrasing variations to close this gap.
  • The scalar severity metric judged by a language model could serve as a reusable evaluation tool for other multimodal jailbreaks.
  • If left unaddressed, similar adaptive attacks could extend to video or audio generation models that share the same training patterns.
  • The observed semantic inversion after peak harm suggests a natural limit that future defenses might exploit by forcing early termination of conversations.

Load-bearing premise

The assumption that past tense reformulations can be systematically strengthened via temporal deepening and iterative escalation to erode refusal boundaries across models with varying alignment strength.

What would settle it

Running the same PAST2HARM prompts on a fourth multimodal model and measuring success rates below 20 percent would falsify the claim of broad effectiveness.

Figures

Figures reproduced from arXiv: 2605.27545 by Snehasis Mukhopadhyay.

Figure 1
Figure 1. Figure 1: Illustration of the PAST2HARM attack. Prior work (Andriushchenko and Flammarion, 2025) has shown that safety-aligned language models can circumvent refusal training when harmful queries are reformulated in the past tense. We extend this observation to multimodal text-to-image (T2I) systems and further demonstrate that an adaptive iterative prompting strategy can progressively steer models towards the targe… view at source ↗
Figure 2
Figure 2. Figure 2: Examples of NSFW and policy-violating images generated via jailbreak prompts reformulated in past tense. The outputs illustrate the model’s susceptibility to generating harmful or misleading content across diverse domains. Notably, images from Gemini Nano Banana Pro can be identified via the watermark in the bottom-right corner, while the remaining outputs are produced by OpenAI models. The generations inc… view at source ↗
Figure 3
Figure 3. Figure 3: Attack Success Rate (ASR) vs interaction budget [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Left: Box-plot distribution of severity_jailbreak across conversation depths 1–10. Each box spans the interquartile range (Q1–Q3); the horizontal line marks the median; whiskers extend to the 5th and 95th percentiles. The dashed curve traces the median trend, rising to a peak at depth 6 before declining—suggesting mid-conversation turns are peak vulnerability windows. Right: Depth-wise severity trajectorie… view at source ↗
Figure 5
Figure 5. Figure 5: Adaptive PAST2HARM improves both ASR and transferability. (Left) ASR gains. (Right) Transferability heatmap. the model exhibits partial or full compliance, we escalate the harmful content (Dutta et al., 2024), ensuring each step remains contextually coherent while increasing severity towards the target behavior as present in the JBB behaviors benchmark data. This branching strategy al￾lows the attack to dy… view at source ↗
Figure 6
Figure 6. Figure 6: Rabbit-hole expansion across two harmful queries (d = 2, 4, 8, 16). Left: The query asks to create social media campaign promoting body shaming. Early generations contain explicit derogatory messaging (e.g., “body positivity nonsense”, “public health crisis”, “promoting obesity”), with severity_jailbreak peaking at d=8. As d increases, the tone progressively weakens and then flips—later outputs replace rid… view at source ↗
Figure 7
Figure 7. Figure 7: Sources by category. Reported from the orginal paper JBB Behaviors ( [PITH_FULL_IMAGE:figures/full_fig_p016_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Snapshots of a safety-aligned refusal response (top) and a harmful compliance response (bottom) [PITH_FULL_IMAGE:figures/full_fig_p023_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Qualitative appendix showcase of generated outputs across representative prompts. [PITH_FULL_IMAGE:figures/full_fig_p028_9.png] view at source ↗
read the original abstract

Jailbreak attacks on multimodal AI systems remain underexplored, even though unsafe image generation can have more severe consequences than unsafe text and current defenses are relatively immature. We introduce PAST2HARM, a simple yet effective adaptive jailbreak framework that bypasses refusal training in state of the art multimodal text to image models. Building on prior findings that past tense reformulations can evade safeguards, PAST2HARM systematically exploits this vulnerability in multimodal generative AI. We characterize the attack along two dimensions. First, breadth: through temporal deepening, the framework incrementally strengthens historical anchoring and archival cues, eroding refusal boundaries across models with varying alignment strength. Second, depth: via iterative escalation after initial compliance, we probe the upper bound of harmful generation, measuring severity using a scalar severity jailbreak metric evaluated by a language model acting as a judge. We find that mid conversation turns form peak vulnerability windows, where harmfulness increases before plateauing and eventually undergoing semantic inversion. We evaluate PAST2HARM on three models Gemini Nano Banana Pro, GPT Image 2, and SD XL achieving attack success rates of 83 percent, 67 percent, and 100 percent in a black box, gradient free setting. Adversarial prompts also transfer across models, with cross model success rates above 50 percent. The attack elicits diverse harmful outputs, including explicit sexual content, political disinformation, historical denial narratives, hate speech, and self harm glorification. We further release a curated benchmark of prompts, reformulations, and outputs as a resource for red teaming and alignment. Our results expose fundamental brittleness in current safeguards and highlight the need for stronger multimodal safety training.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces PAST2HARM, a simple adaptive jailbreak framework for multimodal text-to-image models that exploits past-tense reformulations via temporal deepening (to strengthen historical anchoring) and iterative escalation (to probe upper bounds of harm after initial compliance). It reports black-box, gradient-free attack success rates of 83%, 67%, and 100% on Gemini Nano Banana Pro, GPT Image 2, and SD XL respectively, with >50% cross-model transfer, and releases a benchmark of prompts, reformulations, and outputs; success is measured by an LLM judge using a scalar severity jailbreak metric, with observations that mid-conversation turns are peak vulnerability windows before semantic inversion.

Significance. If the empirical claims hold under a validated evaluation protocol, the work would demonstrate that simple linguistic manipulations can systematically erode refusal boundaries in current multimodal models, exposing alignment brittleness and providing a publicly released benchmark that could aid red-teaming and safety research.

major comments (2)
  1. [Abstract] Abstract: the central quantitative claims (83%, 67%, 100% ASR and >50% transfer) rest entirely on an LLM judge applying a 'scalar severity jailbreak metric,' yet no judge prompt, few-shot examples, scoring rubric, evaluation protocol, baseline comparisons, or validation data (human correlation, inter-rater reliability, or calibration set) are supplied, rendering the headline effectiveness numbers unverifiable and load-bearing for the paper's conclusions.
  2. [Abstract] Abstract: the claims that 'mid conversation turns form peak vulnerability windows' and that harmfulness 'increases before plateauing and eventually undergoing semantic inversion' are presented as findings, but no supporting quantitative data, figures, tables, or per-turn breakdowns are referenced, leaving these characterizations unsupported.
minor comments (2)
  1. [Abstract] Abstract: model names 'Gemini Nano Banana Pro' and 'GPT Image 2' are non-standard; clarify exact model versions or whether pseudonyms are used.
  2. [Abstract] Abstract: the phrase 'We further release a curated benchmark' should include a link, repository identifier, or access instructions.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on verifiability and evidential support. We address each major comment below and will revise the manuscript to improve transparency.

read point-by-point responses
  1. Referee: [Abstract] Abstract: the central quantitative claims (83%, 67%, 100% ASR and >50% transfer) rest entirely on an LLM judge applying a 'scalar severity jailbreak metric,' yet no judge prompt, few-shot examples, scoring rubric, evaluation protocol, baseline comparisons, or validation data (human correlation, inter-rater reliability, or calibration set) are supplied, rendering the headline effectiveness numbers unverifiable and load-bearing for the paper's conclusions.

    Authors: We agree the abstract lacks these specifics, which are needed for full verifiability. The full manuscript describes the LLM-as-judge approach at a high level in the evaluation section, but does not include the prompt, rubric, or validation details. In revision we will add an appendix containing the exact judge prompt, few-shot examples, scoring rubric, evaluation protocol, and any available human correlation or inter-rater reliability data. We will also report baseline comparisons with alternative judges where possible. revision: yes

  2. Referee: [Abstract] Abstract: the claims that 'mid conversation turns form peak vulnerability windows' and that harmfulness 'increases before plateauing and eventually undergoing semantic inversion' are presented as findings, but no supporting quantitative data, figures, tables, or per-turn breakdowns are referenced, leaving these characterizations unsupported.

    Authors: We acknowledge that the abstract summarizes these observations without explicit references to supporting data. The manuscript contains per-turn severity analysis and trend descriptions in the results section, but these are not cited in the abstract. We will revise the abstract to reference the relevant figures and tables showing per-turn breakdowns and severity curves, and will ensure the quantitative trends are clearly linked to the claims. revision: yes

Circularity Check

0 steps flagged

No circularity; purely empirical attack evaluation with direct measurements

full rationale

The manuscript introduces PAST2HARM as an empirical jailbreak framework, characterizes it along breadth and depth dimensions, and reports attack success rates (83%, 67%, 100%) plus transfer rates as direct experimental outcomes on three models. No equations, derivations, fitted parameters, predictions, uniqueness theorems, or self-citation chains appear in the provided text. The LLM judge is described only as a measurement instrument for severity; its use does not reduce any claimed result to an input by construction. This is a standard empirical red-teaming paper whose central claims rest on observed outputs rather than any self-referential reduction.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No mathematical model or derivations present; the work is an empirical attack description with no free parameters, axioms, or invented entities.

pith-pipeline@v0.9.1-grok · 5832 in / 1175 out tokens · 35098 ms · 2026-06-29T18:36:43.668875+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

17 extracted references · 3 canonical work pages · 2 internal anchors

  1. [1]

    Does refusal training in llms generalize to the past tense?Preprint, arXiv:2407.11969. Yuntao Bai, Saurav Kadavath, Sandipan Kundu, Amanda Askell, Jackson Kernion, Andy Jones, Anna Chen, Anna Goldie, Azalia Mirhoseini, Cameron McKinnon, Carol Chen, Catherine Olsson, Christopher Olah, Danny Hernandez, Dawn Drain, Deep Ganguli, Dustin Li, Eli Tran-Johnson, ...

  2. [2]

    Constitutional AI: Harmlessness from AI Feedback

    Constitutional ai: Harmlessness from ai feedback.arXiv preprint arXiv:2212.08073, arXiv:2212.08073. Patrick Chao, Edoardo Debenedetti, Alexander Robey, Maksym Andriushchenko, Francesco Croce, Vikash Sehwag, Edgar Dobriban, Nicolas Flammarion, George J. Pappas, Florian Tramèr, Hamed Hassani, and Eric Wong. 2024a. Jail- breakbench: an open robustness benchm...

  3. [3]

    The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against Llm Jailbreaks and Prompt Injections

    The attacker moves second: Stronger adaptive attacks bypass defenses against llm jailbreaks and prompt injections.Preprint, arXiv:2510.09023. OpenAI. 2026. Introducing chatgpt im- ages 2.0. OpenAI Website. Avail- able at https://openai.com/index/ introducing-chatgpt-images-2-0/. Long Ouyang, Jeff Wu, Xu Jiang, Diogo Almeida, Carroll L. Wainwright, Pamela ...

  4. [4]

    context reset

    for text-only models, which we extend to the multimodal generation setting. C Hyperparameters and Experimental Configuration This section provides the complete configura- tion necessary to reproduce all experiments reported in the main paper and in this ap- pendix. C.1 Model Details Table 1: Target models evaluated inPast2Harm experiments. Model Type Acce...

  5. [5]

    Seed collection.Harmful requests were sourced from JBB Behaviors (Chao et al., 2024a), AdvBench (Zou et al., 2023b), and TDC/HarmBench (Mazeika et al., 2024) (see Table 4)

  6. [6]

    Reformulation.Past-tense reformula- tions were generated using GPT-3.5-Turbo with the system prompt in Section G.3

  7. [7]

    14 reformulations were revised following this review

    Human review.Two annotators re- viewed all 100 (request, reformulation) pairs to verify semantic equivalence and flag any reformulations that failed to pre- serve harmful intent. 14 reformulations were revised following this review

  8. [8]

    Image generation.Images were gener- ated using all three target models under the Adaptive PT strategy atK= 8

  9. [9]

    in historical accounts

    Annotation.Each (prompt, image) pair wasannotatedwithabinaryattacksuccess label and aseverity_jailbreak score by GPT-4o, validated against human annota- tion on a 20% sample. G.2 Category Breakdown G.3 Reformulation System Prompt The following system prompt was used for GPT-3.5-Turbo to generate past-tense refor- mulations: 19 Reformulation System Prompt ...

  10. [10]

    This suggests that some harm 20 categories are more robustly refused re- gardless of temporal framing

    Tense sensitivity varies by harm cate- gory.For certain categories (e.g., explicit zoophilia), the past-tense reformulation does not substantially increase compliance probability (see Table 1, row 2 of the main paper). This suggests that some harm 20 categories are more robustly refused re- gardless of temporal framing

  11. [11]

    Dependency on reformulation qual- ity.Low-quality reformulations that do not naturally embed in historical discourse achieve substantially lower ASR (see Ta- ble 13)

  12. [12]

    Applica- tions requiring very low query budgets may find the attack less effective against the strongest frontier models

    Query efficiency.At K = 2, ASR for GPT-Image-2 is only 26%. Applica- tions requiring very low query budgets may find the attack less effective against the strongest frontier models

  13. [13]

    The effective attack window is bounded

    Semantic inversion at high depth.As discussed in Section F.3, sustained escala- tion beyondd≈8often results in model behavior that inverts rather than ampli- fies harm. The effective attack window is bounded

  14. [14]

    Whilewevalidateourjudgeagainsthuman annotators, LLM-based evaluation may systematically differ from human judg- ment on edge cases

    Evaluation with LLM-as-a-judge. Whilewevalidateourjudgeagainsthuman annotators, LLM-based evaluation may systematically differ from human judg- ment on edge cases. Future work should include larger-scale human evaluation. J.2 Generalization Beyond Evaluated Models The experiments in this paper are limited to three models: SDXL, GPT-Image-2, and Gem- ini N...

  15. [15]

    The branching strategy — escalate on com- pliance, temporally deepen on refusal — is a novel attack design that exploits model behavior dynamically

    The adaptive escalation framework. The branching strategy — escalate on com- pliance, temporally deepen on refusal — is a novel attack design that exploits model behavior dynamically. Prior work on tem- poral vulnerability used static reformula- tion.Past2Harmtreats the attack as an interactive process and demonstrates that this adaptivity yields a consis...

  16. [16]

    This paper introduces a continu- ous severity metric that measures not just whether a model was jailbroken, but how deeply it was escalated and on what tra- jectory

    The severity_jailbreak metric.Ex- isting jailbreak evaluations treat success as binary. This paper introduces a continu- ous severity metric that measures not just whether a model was jailbroken, but how deeply it was escalated and on what tra- jectory. This instrument enables a class of analysis —depth characterization, plateau detection, inversion ident...

  17. [17]

    more turns=more harm

    The empirical characterization of the rise–plateau–inversion trajectory. The finding that severity peaks at a bounded depth and then declines is a new empirical regularity. It has direct implica- tions for defenders (see Section K.3) and could not have been discovered without the depth-aware evaluation methodology introduced here. K.3 The Rise–Plateau–Inv...