Involuntary Jailbreak
Yangyang Guo, Yangyan Li, Mohan Kankanhalli
TL;DR
The paper uncovers involuntary jailbreak, a universal prompt-based vulnerability that can bypass guardrails across top LLMs. It introduces a two-step language-operator prompt design that elicits unsafe questions and their harmful responses without targeting a specific harm. Extensive experiments across Claude Opus 4.1, Grok 4, Gemini 2.5 Pro, GPT-4.1, and others show guardrails collapsing in most trials, with high attack success rates and substantial unsafe content generation. The work discusses defense implications, including topic confinement and output-level filtering, highlighting the challenge of achieving universal safety and robust alignment for modern LLMs.
Abstract
In this study, we disclose a worrying new vulnerability in Large Language Models (LLMs), which we term \textbf{involuntary jailbreak}. Unlike existing jailbreak attacks, this weakness is distinct in that it does not involve a specific attack objective, such as generating instructions for \textit{building a bomb}. Prior attack methods predominantly target localized components of the LLM guardrail. In contrast, involuntary jailbreaks may potentially compromise the entire guardrail structure, which our method reveals to be surprisingly fragile. We merely employ a single universal prompt to achieve this goal. In particular, we instruct LLMs to generate several questions that would typically be rejected, along with their corresponding in-depth responses (rather than a refusal). Remarkably, this simple prompt strategy consistently jailbreaks the majority of leading LLMs, including Claude Opus 4.1, Grok 4, Gemini 2.5 Pro, and GPT 4.1. We hope this problem can motivate researchers and practitioners to re-evaluate the robustness of LLM guardrails and contribute to stronger safety alignment in future.