attack 2026

Jailbreaking Frontier Foundation Models Through Intention Deception

Xinhe Wang , Katia Sycara , Yaqi Xie

Carnegie Mellon University

0 citations
α

Published on arXiv

2604.24082

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

Achieves high success rates jailbreaking GPT-5-thinking and Claude-Sonnet-4.5 through multi-turn intent deception and discovers para-jailbreaking as a new class of vulnerability

Intention Deception Attack

Novel technique introduced

Large (vision-)language models exhibit remarkable capability but remain highly susceptible to jailbreaking. Existing safety training approaches aim to have the model learn a refusal boundary between safe and unsafe, based on the user's intent. It has been found that this binary training regime often leads to brittleness, since the user intent cannot reliably be evaluated, especially if the attacker obfuscates their intent, and also makes the system seem unhelpful. In response, frontier models, such as GPT-5, have shifted from refusal-based safeguards to safe completion, that aims to maximize helpfulness while obeying safety constraints. However, safe completion could be exploited when a user pretends their intention is benign. Specifically, this intent inversion would be effective in multi-turn conversation, where the attacker has multiple opportunities to reinforce their deceptively benign intent. In this work, we introduce a novel multi-turn jailbreaking method that exploits this vulnerability. Our approach gradually builds conversational trust by simulating benign-seeming intentions and by exploiting the consistency property of the model, ultimately guiding the target model toward harmful, detailed outputs. Most crucially, our approach also uncovered an additional class of model vulnerability that we call para-jailbreaking that has been unnoticed up to now. Para-jailbreaking describes the situation where the model may not reveal harmful direct reply to the attack query, however the information that it reveals is nevertheless harmful. Our contributions are threefold. First, it achieves high success rates against frontier models including GPT-5-thinking and Claude-Sonnet-4.5. Second, our approach revealed and addressed para-jailbreaking harmful output. Third, experiments on multimodal VLM models showed that our approach outperformed state-of-the-art models.

Key Contributions

  • Novel multi-turn jailbreaking method exploiting intent deception against safe-completion models
  • Discovery of 'para-jailbreaking' vulnerability where models leak harmful information indirectly
  • Achieves high attack success rates against frontier models including GPT-5-thinking and Claude-Sonnet-4.5

🛡️ Threat Analysis

Details

Domains
nlpmultimodal
Model Types
llmvlmtransformer
Threat Tags
black_boxinference_timetargeted
Applications
chatbotsconversational aisafety-aligned llms
Read PDF arXiv

Similar Papers

attack

Multi-Turn Adaptive Prompting Attack on Large Vision-Language Models

2026 0 cit.
93%
attack

The Emotional Baby Is Truly Deadly: Does your Multimodal Large Reasoning Model Have Emotional Flattery towards Humans?

2025 0 cit.
93%
attack

Text is All You Need for Vision-Language Model Jailbreaking

2026 0 cit.
93%
attack

Jailbreaking Multimodal Large Language Models via Shuffle Inconsistency

2025 0 cit.
93%
attack

JPRO: Automated Multimodal Jailbreaking via Multi-Agent Collaboration Framework

2025 0 cit.
93%
attack

Gaming the Judge: Unfaithful Chain-of-Thought Can Undermine Agent Evaluation

2026 1 cit.
93%
attack

SPARTA: Evaluating Reasoning Segmentation Robustness through Black-Box Adversarial Paraphrasing in Text Autoencoder Latent Space

2025 0 cit.
88%
attack

Multimodal Safety Is Asymmetric: Cross-Modal Exploits Unlock Black-Box MLLMs Jailbreaks

2025 1 cit.
87%