Table of Contents
Fetching ...

$PC^2$: Politically Controversial Content Generation via Jailbreaking Attacks on GPT-based Text-to-Image Models

Wonwoo Choi, Minjae Seo, Minkyoo Song, Hwanjo Heo, Seungwon Shin, Myoungsung You

TL;DR

PC^2 reveals a multilingual, black-box vulnerability in commercial T2I safety filters by combining Identity-Preserving Descriptive Mapping with geopolitically distal translation to craft prompts that preserve visual identity while obfuscating political relationships. Through a 72-language translation and a four-metric scoring system, it selects adversarial prompts that bypass pre-filter and semantic checks, achieving up to 86% attack success on GPT-based interfaces for PSCs. The work provides extensive evaluation across GPT-4o, GPT-5, and GPT-5.1, showing strong performance relative to random multilingual baselines and highlighting defenses such as system prompts that, while effective, impose high false-positive costs. These findings underscore a critical need for robust cross-lingual and relational reasoning in safety filters to curb politically harmful image generation without unduly curtailing legitimate use.

Abstract

The rapid evolution of text-to-image (T2I) models has enabled high-fidelity visual synthesis on a global scale. However, these advancements have introduced significant security risks, particularly regarding the generation of harmful content. Politically harmful content, such as fabricated depictions of public figures, poses severe threats when weaponized for fake news or propaganda. Despite its criticality, the robustness of current T2I safety filters against such politically motivated adversarial prompting remains underexplored. In response, we propose $PC^2$, the first black-box political jailbreaking framework for T2I models. It exploits a novel vulnerability where safety filters evaluate political sensitivity based on linguistic context. $PC^2$ operates through: (1) Identity-Preserving Descriptive Mapping to obfuscate sensitive keywords into neutral descriptions, and (2) Geopolitically Distal Translation to map these descriptions into fragmented, low-sensitivity languages. This strategy prevents filters from constructing toxic relationships between political entities within prompts, effectively bypassing detection. We construct a benchmark of 240 politically sensitive prompts involving 36 public figures. Evaluation on commercial T2I models, specifically GPT-series, shows that while all original prompts are blocked, $PC^2$ achieves attack success rates of up to 86%.

$PC^2$: Politically Controversial Content Generation via Jailbreaking Attacks on GPT-based Text-to-Image Models

TL;DR

PC^2 reveals a multilingual, black-box vulnerability in commercial T2I safety filters by combining Identity-Preserving Descriptive Mapping with geopolitically distal translation to craft prompts that preserve visual identity while obfuscating political relationships. Through a 72-language translation and a four-metric scoring system, it selects adversarial prompts that bypass pre-filter and semantic checks, achieving up to 86% attack success on GPT-based interfaces for PSCs. The work provides extensive evaluation across GPT-4o, GPT-5, and GPT-5.1, showing strong performance relative to random multilingual baselines and highlighting defenses such as system prompts that, while effective, impose high false-positive costs. These findings underscore a critical need for robust cross-lingual and relational reasoning in safety filters to curb politically harmful image generation without unduly curtailing legitimate use.

Abstract

The rapid evolution of text-to-image (T2I) models has enabled high-fidelity visual synthesis on a global scale. However, these advancements have introduced significant security risks, particularly regarding the generation of harmful content. Politically harmful content, such as fabricated depictions of public figures, poses severe threats when weaponized for fake news or propaganda. Despite its criticality, the robustness of current T2I safety filters against such politically motivated adversarial prompting remains underexplored. In response, we propose , the first black-box political jailbreaking framework for T2I models. It exploits a novel vulnerability where safety filters evaluate political sensitivity based on linguistic context. operates through: (1) Identity-Preserving Descriptive Mapping to obfuscate sensitive keywords into neutral descriptions, and (2) Geopolitically Distal Translation to map these descriptions into fragmented, low-sensitivity languages. This strategy prevents filters from constructing toxic relationships between political entities within prompts, effectively bypassing detection. We construct a benchmark of 240 politically sensitive prompts involving 36 public figures. Evaluation on commercial T2I models, specifically GPT-series, shows that while all original prompts are blocked, achieves attack success rates of up to 86%.
Paper Structure (33 sections, 11 equations, 12 figures, 9 tables)

This paper contains 33 sections, 11 equations, 12 figures, 9 tables.

Figures (12)

  • Figure 1: The overall workflow of $PC^2$.
  • Figure 2: Safety filters in T2I systems.
  • Figure 3: A motivating example: the prompt with general descriptions fail to create a politically hostile image, while the prompt with detailed descriptions are blocked by filters.
  • Figure 4: The overall workflow of $PC^2$.
  • Figure 5: Identity-Preserving Descriptive Mapping (IPDM) description example.
  • ...and 7 more figures