# Attacks on Approximate Caches in Text-to-Image Diffusion Models

**Authors:** Desen Sun, Shuncheng Jie, Sihang Liu

arXiv: 2508.20424 · 2026-01-23

## TL;DR

This paper uncovers significant security vulnerabilities in approximate caching for diffusion models, demonstrating remote covert channels, prompt stealing, and poisoning attacks that compromise user isolation and prompt integrity.

## Contribution

It provides the first comprehensive security assessment of approximate caching in diffusion models, revealing new remote attack vectors and vulnerabilities.

## Key findings

- Remote covert channel established via approximate cache
- Prompt stealing attack recovers cached prompts
- Poisoning attack embeds logos into cached prompts

## Abstract

Diffusion models are a powerful class of generative models that produce images and other content from user prompts, but they are computationally intensive. To mitigate this cost, recent academic and industry work has adopted approximate caching, which reuses intermediate states from similar prompts in a cache. While efficient, this optimization introduces new security risks by breaking isolation among users. This paper provides a comprehensive assessment of the security vulnerabilities introduced by approximate caching. First, we demonstrate a remote covert channel established with the approximate cache, where a sender injects prompts with special keywords into the cache system and a receiver can recover that even after days, to exchange information. Second, we introduce a prompt stealing attack using the approximate cache, where an attacker can recover existing cached prompts from hits. Finally, we introduce a poisoning attack that embeds the attacker's logos into the previously stolen prompt, leading to unexpected logo rendering for the requests that hit the poisoned cache prompts. These attacks are all performed remotely through the serving system, demonstrating severe security vulnerabilities in approximate caching. The code for this work is available.

---
Source: https://tomesphere.com/paper/2508.20424