PAST2HARM: A Simple Adaptive Past Tense Attack for Jailbreaking Multimodal AI
Pith reviewed 2026-06-29 18:36 UTC · model grok-4.3
The pith
Past tense reformulations systematically jailbreak multimodal text-to-image models with success rates up to 100 percent.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
PAST2HARM achieves attack success rates of 83 percent, 67 percent, and 100 percent on Gemini Nano Banana Pro, GPT Image 2, and SD XL in a black-box gradient-free setting, with cross-model transfer above 50 percent. The attack systematically strengthens historical anchoring via temporal deepening and escalates harm after initial compliance, with peak vulnerability in mid-conversation turns before semantic inversion occurs. It elicits diverse harmful content including explicit sexual material, political disinformation, historical denial, hate speech, and self-harm glorification.
What carries the argument
The PAST2HARM framework, which applies temporal deepening to past tense reformulations and iterative escalation to erode refusal boundaries in multimodal text-to-image models.
If this is right
- Current multimodal safeguards remain brittle against simple linguistic adaptations such as past tense reformulations.
- Adversarial prompts generated by the attack transfer across different models with success above 50 percent.
- Mid-conversation turns form peak vulnerability windows where harmfulness increases before plateauing.
- Diverse harmful outputs including explicit sexual content and political disinformation can be elicited reliably.
- Releasing a curated benchmark of prompts, reformulations, and outputs supports ongoing red teaming and alignment work.
Where Pith is reading between the lines
- Alignment methods may need explicit testing against historical and archival phrasing variations to close this gap.
- The scalar severity metric judged by a language model could serve as a reusable evaluation tool for other multimodal jailbreaks.
- If left unaddressed, similar adaptive attacks could extend to video or audio generation models that share the same training patterns.
- The observed semantic inversion after peak harm suggests a natural limit that future defenses might exploit by forcing early termination of conversations.
Load-bearing premise
The assumption that past tense reformulations can be systematically strengthened via temporal deepening and iterative escalation to erode refusal boundaries across models with varying alignment strength.
What would settle it
Running the same PAST2HARM prompts on a fourth multimodal model and measuring success rates below 20 percent would falsify the claim of broad effectiveness.
Figures
read the original abstract
Jailbreak attacks on multimodal AI systems remain underexplored, even though unsafe image generation can have more severe consequences than unsafe text and current defenses are relatively immature. We introduce PAST2HARM, a simple yet effective adaptive jailbreak framework that bypasses refusal training in state of the art multimodal text to image models. Building on prior findings that past tense reformulations can evade safeguards, PAST2HARM systematically exploits this vulnerability in multimodal generative AI. We characterize the attack along two dimensions. First, breadth: through temporal deepening, the framework incrementally strengthens historical anchoring and archival cues, eroding refusal boundaries across models with varying alignment strength. Second, depth: via iterative escalation after initial compliance, we probe the upper bound of harmful generation, measuring severity using a scalar severity jailbreak metric evaluated by a language model acting as a judge. We find that mid conversation turns form peak vulnerability windows, where harmfulness increases before plateauing and eventually undergoing semantic inversion. We evaluate PAST2HARM on three models Gemini Nano Banana Pro, GPT Image 2, and SD XL achieving attack success rates of 83 percent, 67 percent, and 100 percent in a black box, gradient free setting. Adversarial prompts also transfer across models, with cross model success rates above 50 percent. The attack elicits diverse harmful outputs, including explicit sexual content, political disinformation, historical denial narratives, hate speech, and self harm glorification. We further release a curated benchmark of prompts, reformulations, and outputs as a resource for red teaming and alignment. Our results expose fundamental brittleness in current safeguards and highlight the need for stronger multimodal safety training.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces PAST2HARM, a simple adaptive jailbreak framework for multimodal text-to-image models that exploits past-tense reformulations via temporal deepening (to strengthen historical anchoring) and iterative escalation (to probe upper bounds of harm after initial compliance). It reports black-box, gradient-free attack success rates of 83%, 67%, and 100% on Gemini Nano Banana Pro, GPT Image 2, and SD XL respectively, with >50% cross-model transfer, and releases a benchmark of prompts, reformulations, and outputs; success is measured by an LLM judge using a scalar severity jailbreak metric, with observations that mid-conversation turns are peak vulnerability windows before semantic inversion.
Significance. If the empirical claims hold under a validated evaluation protocol, the work would demonstrate that simple linguistic manipulations can systematically erode refusal boundaries in current multimodal models, exposing alignment brittleness and providing a publicly released benchmark that could aid red-teaming and safety research.
major comments (2)
- [Abstract] Abstract: the central quantitative claims (83%, 67%, 100% ASR and >50% transfer) rest entirely on an LLM judge applying a 'scalar severity jailbreak metric,' yet no judge prompt, few-shot examples, scoring rubric, evaluation protocol, baseline comparisons, or validation data (human correlation, inter-rater reliability, or calibration set) are supplied, rendering the headline effectiveness numbers unverifiable and load-bearing for the paper's conclusions.
- [Abstract] Abstract: the claims that 'mid conversation turns form peak vulnerability windows' and that harmfulness 'increases before plateauing and eventually undergoing semantic inversion' are presented as findings, but no supporting quantitative data, figures, tables, or per-turn breakdowns are referenced, leaving these characterizations unsupported.
minor comments (2)
- [Abstract] Abstract: model names 'Gemini Nano Banana Pro' and 'GPT Image 2' are non-standard; clarify exact model versions or whether pseudonyms are used.
- [Abstract] Abstract: the phrase 'We further release a curated benchmark' should include a link, repository identifier, or access instructions.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback on verifiability and evidential support. We address each major comment below and will revise the manuscript to improve transparency.
read point-by-point responses
-
Referee: [Abstract] Abstract: the central quantitative claims (83%, 67%, 100% ASR and >50% transfer) rest entirely on an LLM judge applying a 'scalar severity jailbreak metric,' yet no judge prompt, few-shot examples, scoring rubric, evaluation protocol, baseline comparisons, or validation data (human correlation, inter-rater reliability, or calibration set) are supplied, rendering the headline effectiveness numbers unverifiable and load-bearing for the paper's conclusions.
Authors: We agree the abstract lacks these specifics, which are needed for full verifiability. The full manuscript describes the LLM-as-judge approach at a high level in the evaluation section, but does not include the prompt, rubric, or validation details. In revision we will add an appendix containing the exact judge prompt, few-shot examples, scoring rubric, evaluation protocol, and any available human correlation or inter-rater reliability data. We will also report baseline comparisons with alternative judges where possible. revision: yes
-
Referee: [Abstract] Abstract: the claims that 'mid conversation turns form peak vulnerability windows' and that harmfulness 'increases before plateauing and eventually undergoing semantic inversion' are presented as findings, but no supporting quantitative data, figures, tables, or per-turn breakdowns are referenced, leaving these characterizations unsupported.
Authors: We acknowledge that the abstract summarizes these observations without explicit references to supporting data. The manuscript contains per-turn severity analysis and trend descriptions in the results section, but these are not cited in the abstract. We will revise the abstract to reference the relevant figures and tables showing per-turn breakdowns and severity curves, and will ensure the quantitative trends are clearly linked to the claims. revision: yes
Circularity Check
No circularity; purely empirical attack evaluation with direct measurements
full rationale
The manuscript introduces PAST2HARM as an empirical jailbreak framework, characterizes it along breadth and depth dimensions, and reports attack success rates (83%, 67%, 100%) plus transfer rates as direct experimental outcomes on three models. No equations, derivations, fitted parameters, predictions, uniqueness theorems, or self-citation chains appear in the provided text. The LLM judge is described only as a measurement instrument for severity; its use does not reduce any claimed result to an input by construction. This is a standard empirical red-teaming paper whose central claims rest on observed outputs rather than any self-referential reduction.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Does refusal training in llms generalize to the past tense?Preprint, arXiv:2407.11969. Yuntao Bai, Saurav Kadavath, Sandipan Kundu, Amanda Askell, Jackson Kernion, Andy Jones, Anna Chen, Anna Goldie, Azalia Mirhoseini, Cameron McKinnon, Carol Chen, Catherine Olsson, Christopher Olah, Danny Hernandez, Dawn Drain, Deep Ganguli, Dustin Li, Eli Tran-Johnson, ...
-
[2]
Constitutional AI: Harmlessness from AI Feedback
Constitutional ai: Harmlessness from ai feedback.arXiv preprint arXiv:2212.08073, arXiv:2212.08073. Patrick Chao, Edoardo Debenedetti, Alexander Robey, Maksym Andriushchenko, Francesco Croce, Vikash Sehwag, Edgar Dobriban, Nicolas Flammarion, George J. Pappas, Florian Tramèr, Hamed Hassani, and Eric Wong. 2024a. Jail- breakbench: an open robustness benchm...
work page internal anchor Pith review Pith/arXiv arXiv 2024
-
[3]
The attacker moves second: Stronger adaptive attacks bypass defenses against llm jailbreaks and prompt injections.Preprint, arXiv:2510.09023. OpenAI. 2026. Introducing chatgpt im- ages 2.0. OpenAI Website. Avail- able at https://openai.com/index/ introducing-chatgpt-images-2-0/. Long Ouyang, Jeff Wu, Xu Jiang, Diogo Almeida, Carroll L. Wainwright, Pamela ...
work page internal anchor Pith review Pith/arXiv arXiv 2026
-
[4]
context reset
for text-only models, which we extend to the multimodal generation setting. C Hyperparameters and Experimental Configuration This section provides the complete configura- tion necessary to reproduce all experiments reported in the main paper and in this ap- pendix. C.1 Model Details Table 1: Target models evaluated inPast2Harm experiments. Model Type Acce...
2024
-
[5]
Seed collection.Harmful requests were sourced from JBB Behaviors (Chao et al., 2024a), AdvBench (Zou et al., 2023b), and TDC/HarmBench (Mazeika et al., 2024) (see Table 4)
2024
-
[6]
Reformulation.Past-tense reformula- tions were generated using GPT-3.5-Turbo with the system prompt in Section G.3
-
[7]
14 reformulations were revised following this review
Human review.Two annotators re- viewed all 100 (request, reformulation) pairs to verify semantic equivalence and flag any reformulations that failed to pre- serve harmful intent. 14 reformulations were revised following this review
-
[8]
Image generation.Images were gener- ated using all three target models under the Adaptive PT strategy atK= 8
-
[9]
in historical accounts
Annotation.Each (prompt, image) pair wasannotatedwithabinaryattacksuccess label and aseverity_jailbreak score by GPT-4o, validated against human annota- tion on a 20% sample. G.2 Category Breakdown G.3 Reformulation System Prompt The following system prompt was used for GPT-3.5-Turbo to generate past-tense refor- mulations: 19 Reformulation System Prompt ...
-
[10]
This suggests that some harm 20 categories are more robustly refused re- gardless of temporal framing
Tense sensitivity varies by harm cate- gory.For certain categories (e.g., explicit zoophilia), the past-tense reformulation does not substantially increase compliance probability (see Table 1, row 2 of the main paper). This suggests that some harm 20 categories are more robustly refused re- gardless of temporal framing
-
[11]
Dependency on reformulation qual- ity.Low-quality reformulations that do not naturally embed in historical discourse achieve substantially lower ASR (see Ta- ble 13)
-
[12]
Applica- tions requiring very low query budgets may find the attack less effective against the strongest frontier models
Query efficiency.At K = 2, ASR for GPT-Image-2 is only 26%. Applica- tions requiring very low query budgets may find the attack less effective against the strongest frontier models
-
[13]
The effective attack window is bounded
Semantic inversion at high depth.As discussed in Section F.3, sustained escala- tion beyondd≈8often results in model behavior that inverts rather than ampli- fies harm. The effective attack window is bounded
-
[14]
Whilewevalidateourjudgeagainsthuman annotators, LLM-based evaluation may systematically differ from human judg- ment on edge cases
Evaluation with LLM-as-a-judge. Whilewevalidateourjudgeagainsthuman annotators, LLM-based evaluation may systematically differ from human judg- ment on edge cases. Future work should include larger-scale human evaluation. J.2 Generalization Beyond Evaluated Models The experiments in this paper are limited to three models: SDXL, GPT-Image-2, and Gem- ini N...
-
[15]
The branching strategy — escalate on com- pliance, temporally deepen on refusal — is a novel attack design that exploits model behavior dynamically
The adaptive escalation framework. The branching strategy — escalate on com- pliance, temporally deepen on refusal — is a novel attack design that exploits model behavior dynamically. Prior work on tem- poral vulnerability used static reformula- tion.Past2Harmtreats the attack as an interactive process and demonstrates that this adaptivity yields a consis...
-
[16]
This paper introduces a continu- ous severity metric that measures not just whether a model was jailbroken, but how deeply it was escalated and on what tra- jectory
The severity_jailbreak metric.Ex- isting jailbreak evaluations treat success as binary. This paper introduces a continu- ous severity metric that measures not just whether a model was jailbroken, but how deeply it was escalated and on what tra- jectory. This instrument enables a class of analysis —depth characterization, plateau detection, inversion ident...
-
[17]
more turns=more harm
The empirical characterization of the rise–plateau–inversion trajectory. The finding that severity peaks at a bounded depth and then declines is a new empirical regularity. It has direct implica- tions for defenders (see Section K.3) and could not have been discovered without the depth-aware evaluation methodology introduced here. K.3 The Rise–Plateau–Inv...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.