Pith Number

pith:HMJNVMXS

pith:2026:HMJNVMXSQ7CDOVBUDBHEXF26BZ

not attested not anchored not stored refs resolved

Hierarchical Attacks for Multi-Modal Multi-Agent Reasoning

Ai Han, Hao Zhou, Junxing Hu, Tiru Wu, Wanqi Zhou, Yan Jiang

A hierarchical attack framework exposes vulnerabilities in multi-modal multi-agent reasoning systems by achieving up to 78.3 percent attack success rate.

arxiv:2605.13213 v1 · 2026-05-13 · cs.AI

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?

Add to your LaTeX paper

\usepackage{pith}
\pithnumber{HMJNVMXSQ7CDOVBUDBHEXF26BZ}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp

2 Internet Archive

3 Author claim open · sign in to claim

4 Citations open

5 Replications open

✓ Portable graph bundle live · download bundle · merged state

The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

Experiments demonstrate that our framework achieves an Attack Success Rate of up to 78.3%, with reasoning-layer attacks being the most effective. More than half of the successful attacks lead multiple agents to produce consistent errors.

C2weakest assumption

The assumption that multi-agent systems built on ReAct, Plan-and-Solve, and Reflexion using the GQA benchmark are representative of real-world multi-modal multi-agent deployments and that the reported attack success rates generalize beyond the specific experimental setup.

C3one line summary

HAM³ achieves up to 78.3% attack success rate on the GQA benchmark by hierarchically attacking perception, communication, and reasoning layers in multi-modal multi-agent systems.

References

49 extracted · 49 resolved · 5 Pith anchors

[1] Vqa: Visual question answering 2015

[2] Qwen2.5-vl technical report, 2025 2025

[3] Agentpoison: Red-teaming llm agents via poisoning memory or knowledge bases.Advances in Neural Informa- tion Processing Systems, 37:130185–130213, 2024 2024

[4] Agent- dojo: A dynamic environment to evaluate prompt injection attacks and defenses for llm agents.Advances in Neural In- formation Processing Systems, 37:82895–82920, 2024 2024

[5] Agentscope: A flexible yet robust multi-agent platform

Formal links

1 machine-checked theorem link

Receipt and verification

First computed	2026-05-18T03:08:48.510186Z
Builder	pith-number-builder-2026-05-17-v1
Signature	Pith Ed25519 (`pith-v1-2026-05`) · public key
Schema	pith-number/v1.0

Canonical hash

3b12dab2f287c4375434184e4b975e0e4a23627c17149b4a8a5b2b98a240c20e

Aliases

arxiv: 2605.13213 · arxiv_version: 2605.13213v1 · doi: 10.48550/arxiv.2605.13213 · pith_short_12: HMJNVMXSQ7CD · pith_short_16: HMJNVMXSQ7CDOVBU · pith_short_8: HMJNVMXS

Agent API

Resolver JSON Graph JSON Events JSON Schema Signing key

Verify this Pith Number yourself

curl -sH 'Accept: application/ld+json' https://pith.science/pith/HMJNVMXSQ7CDOVBUDBHEXF26BZ \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 3b12dab2f287c4375434184e4b975e0e4a23627c17149b4a8a5b2b98a240c20e

Canonical record JSON

{
  "metadata": {
    "abstract_canon_sha256": "cfaba62708779a3a59e5992b127d558e9b83bc5e7c2045ccf4d2c327b2f7d893",
    "cross_cats_sorted": [],
    "license": "http://arxiv.org/licenses/nonexclusive-distrib/1.0/",
    "primary_cat": "cs.AI",
    "submitted_at": "2026-05-13T09:06:21Z",
    "title_canon_sha256": "2cd1aaaba9df467c155c74e68b48f91511e69b7f376c7b7a19bae2a308479e14"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.13213",
    "kind": "arxiv",
    "version": 1
  }
}