Multilingual jailbreaking of LLMs using low-resource languages

TL;DR

This study reveals that multilingual jailbreak attempts using low-resource African languages can bypass safety measures in LLMs, with translation quality being a key factor in success.

Contribution

It demonstrates that low-resource language translation impacts LLM safety vulnerabilities and provides empirical data on multilingual jailbreak effectiveness.

Findings

Multi-turn conversations significantly increase jailbreak success rates.

Poor translation quality limits the effectiveness of jailbreak attempts.

Human red-teaming yields higher jailbreak rates than automated testing.

Abstract

Large Language Models (LLMs) remain vulnerable to jailbreak attempts that circumvent safety guardrails. We investigate whether multi-turn conversations using low-resource African languages (Afrikaans, Kiswahili, isiXhosa, and isiZulu) can bypass safety mechanisms across commercial LLMs. We translated prompts from existing datasets and evaluated ChatGPT, Claude, DeepSeek, Gemini, and Grok through automated testing and human red-teaming with native speakers. Single-turn translation attacks proved ineffective, while multi-turn conversations achieved English harmful response rates from 52.7% (Claude 3.5 Haiku) to 83.6% (GPT-4o-mini), Afrikaans from 60.0% (Claude 3.5 Haiku) to 78.2% (GPT-4o-mini), and Kiswahili from 41.8% (Claude 3.5 Haiku) to 70.9% (DeepSeek). Human red-teaming increased jailbreak rates compared to automated methods. Over all evaluated languages, the average jailbreak rate increased from 59.8% to 75.8%, with improvements of +20.0% (Afrikaans), +12.7% (isiZulu), +12.3% (isiXhosa), and +1% (Kiswahili), demonstrating that poor translation quality limits jailbreak success. These findings suggest that vulnerabilities in LLMs persist in multilingual contexts and that translation quality is the critical factor determining jailbreak success in low-resource languages.