When the Prompt Becomes Visual: Vision-Centric Jailbreak Attacks for Large Image Editing Models

TL;DR

This paper introduces a novel visual jailbreak attack on large image editing models, demonstrates its effectiveness, and proposes a training-free defense to enhance safety without significant computational costs.

Contribution

It presents the first visual-to-visual jailbreak attack, introduces the IESBench benchmark, and proposes a simple yet effective defense mechanism for image editing models.

Findings

VJA achieves up to 80.9% attack success rate.

IESBench effectively evaluates model vulnerabilities.

The proposed defense improves safety with negligible overhead.

Abstract

Recent advances in large image editing models have shifted the paradigm from text-driven instructions to vision-prompt editing, where user intent is inferred directly from visual inputs such as marks, arrows, and visual-text prompts. While this paradigm greatly expands usability, it also introduces a critical and underexplored safety risk: the attack surface itself becomes visual. In this work, we propose Vision-Centric Jailbreak Attack (VJA), the first visual-to-visual jailbreak attack that conveys malicious instructions purely through visual inputs. To systematically study this emerging threat, we introduce IESBench, a safety-oriented benchmark for image editing models. Extensive experiments on IESBench demonstrate that VJA effectively compromises state-of-the-art commercial models, achieving attack success rates of up to 80.9% on Nano Banana Pro and 70.1% on GPT-Image-1.5. To mitigate this vulnerability, we propose a training-free defense based on introspective multimodal reasoning, which substantially improves the safety of poorly aligned models to a level comparable with commercial systems, without auxiliary guard models and with negligible computational overhead. Our findings expose new vulnerabilities, provide both a benchmark and practical defense to advance safe and trustworthy modern image editing systems. Warning: This paper contains offensive images created by large image editing models.