When the Prompt Becomes Visual: Vision-Centric Jailbreak Attacks for Large Image Editing Models
This addresses a critical safety problem for users of modern image editing systems by exposing new visual-based vulnerabilities, though it is incremental in focusing on a specific attack vector.
The paper tackles the safety risk of vision-prompt editing in large image editing models by proposing Vision-Centric Jailbreak Attack (VJA), which achieves attack success rates up to 80.9% on commercial models, and introduces a training-free defense to mitigate vulnerabilities.
Recent advances in large image editing models have shifted the paradigm from text-driven instructions to vision-prompt editing, where user intent is inferred directly from visual inputs such as marks, arrows, and visual-text prompts. While this paradigm greatly expands usability, it also introduces a critical and underexplored safety risk: the attack surface itself becomes visual. In this work, we propose Vision-Centric Jailbreak Attack (VJA), the first visual-to-visual jailbreak attack that conveys malicious instructions purely through visual inputs. To systematically study this emerging threat, we introduce IESBench, a safety-oriented benchmark for image editing models. Extensive experiments on IESBench demonstrate that VJA effectively compromises state-of-the-art commercial models, achieving attack success rates of up to 80.9% on Nano Banana Pro and 70.1% on GPT-Image-1.5. To mitigate this vulnerability, we propose a training-free defense based on introspective multimodal reasoning, which substantially improves the safety of poorly aligned models to a level comparable with commercial systems, without auxiliary guard models and with negligible computational overhead. Our findings expose new vulnerabilities, provide both a benchmark and practical defense to advance safe and trustworthy modern image editing systems. Warning: This paper contains offensive images created by large image editing models.