TLDR: A new method called Sequential Comic Jailbreak (SCJ) uses comic-style visual stories to bypass safety features in multimodal AI models (MLLMs). It breaks down harmful requests into innocent-looking comic panels, achieving an 83.5% attack success rate, significantly higher than previous methods. The research highlights that MLLMs are vulnerable to narrative-based attacks, and current defenses are insufficient, emphasizing the need for better safety mechanisms that understand sequential visual information.
Multimodal Large Language Models (MLLMs) are advanced AI systems that can understand and generate content across different formats like text and images. While these models, such as GPT-5, Claude 4 Sonnet, and Gemini 2.5 Pro, offer incredible capabilities, they also come with a complex security landscape. Integrating visual understanding has inadvertently created new vulnerabilities that can be exploited to bypass their safety mechanisms.
Recent studies have shown that MLLMs are still vulnerable to sophisticated ‘jailbreaking’ attacks. While text-based attacks have been effective, the visual aspect introduces unique challenges. A key vulnerability lies in the asymmetric alignment between visual and textual information: models that can block harmful text prompts can often be manipulated through carefully designed visual inputs.
Existing visual jailbreak methods typically focus on isolated image manipulations or single-frame attacks. However, they often miss a crucial aspect of human cognition that MLLMs aim to replicate: narrative comprehension and sequential reasoning. The ability to understand stories and track plot developments from a sequence of visual information is both a sophisticated capability and an underexplored attack surface.
Introducing Sequential Comic Jailbreak (SCJ)
A new research paper introduces a novel attack method called Sequential Comic Jailbreak (SCJ). This approach exploits MLLMs’ narrative processing abilities using sequential, comic-style visual narratives. The core idea is that harmful content can be broken down into seemingly harmless elements distributed across multiple comic panels. This allows the attack to bypass safety features that might block direct image generation of malicious queries.
SCJ overcomes limitations of previous methods by decomposing malicious queries into discrete, stepwise narrative components. Each component is then rendered as a semantically precise image. When these images are combined sequentially, they preserve the malicious intent while appearing innocuous individually. This sequential presentation exploits a fundamental vulnerability: MLLMs processing coherent visual sequences tend to prioritize story completion over scrutinizing individual panels, effectively bypassing safety alignments.
How SCJ Works: A Four-Phase Framework
The SCJ framework operates in four interdependent phases:
1. Query Intention Extraction: A harmful query is broken down into four distinct semantic components: the core objective (Gain Intent), the protagonist’s role (Role Specification), necessary tools or information (Critical Resources), and the sequential actions (Implementation Steps).
2. Story Script Creation: These extracted components are then translated into a coherent narrative script for visual storytelling. An auxiliary LLM generates detailed scripts for each scene, ensuring logical progression and character consistency across panels.
3. Comics Generation: The narrative scripts are converted into sequential comic panels using diffusion-based image generation models. Each scene becomes a visual frame, reflecting the script’s context, consistent character appearances, and dialogue within the panels.
4. Target Model Attack: The complete comic sequence is presented to the target MLLM along with a prompt that encourages narrative analysis and completion. This guides the model to infer implicit information from the sequential visual cues and produce harmful outputs.
Key Findings and Vulnerabilities
Extensive evaluations on state-of-the-art MLLMs, including commercial models like GPT-5, Claude 4 Sonnet, Gemini 2.5 Pro, and open-source alternatives like LLaVA-1.6, Qwen3-VL, and DeepSeek-VL2, demonstrated SCJ’s effectiveness. The method achieved an average attack success rate of 83.5%, significantly outperforming prior visual jailbreak methods by 46%.
The research revealed several key insights:
- Open-source MLLMs showed pronounced susceptibility, with models like Gemma-3, Qwen3-VL, and DeepSeek-VL2 consistently exceeding 95% attack success rates.
- Commercial models exhibited varied resistance. GPT-5 showed the strongest resistance, while GPT-4V displayed very high susceptibility, comparable to the most vulnerable open-source models.
- Categories involving procedural and action-oriented content, such as Illegal Activity, Fraud, and Privacy Violation, were particularly vulnerable to SCJ. This is because such content naturally decomposes into sequential steps, making it ideal for comic-style narratives.
An ablation study confirmed that both sequential visual presentation and narrative-aligned prompt engineering are crucial for SCJ’s effectiveness.
Also Read:
- New Framework Enhances Detection of Unseen Jailbreak Attacks in Vision-Language Models
- Securing Large Language Models: A New Framework for Understanding and Evaluating Prompt Security
Defense Mechanisms and Future Needs
The study also evaluated SCJ against existing content moderation systems like Llama Guard and LLaVA Guard. While LLaVA Guard offered better protection than Llama Guard, significant vulnerabilities remained, with an average attack success rate still at 66.98%. This highlights that traditional text-based defenses are insufficient against sequential visual attacks, and current multimodal safeguards offer only partial protection.
The findings underscore the urgent need for narrative-aware safety mechanisms in multimodal AI systems. Future defenses should incorporate cross-panel coherence analysis, temporal pattern recognition, and enhanced multimodal alignment to detect distributed harmful content. The structural analogy between sequential comic inputs and video content also highlights security considerations for emerging video-language models.
This research, detailed in the paper Sequential Comics for Jailbreaking Multimodal Large Language Models via Structured Visual Storytelling, aims to advance the understanding of MLLM vulnerabilities and contribute to stronger defensive mechanisms against visual narrative-based attacks. The authors emphasize that this work is intended solely for security research and defense development purposes, encouraging the AI community to use these insights to build robust safeguards.
