This work identifies and systematically validates a novel “hijacking jailbreak attack” induced by integrating IP-Adapter into text-to-image diffusion models (T2I-DMs): attackers can upload imperceptible image-space adversarial examples to trigger widespread, unintentional jailbreaking by benign users, severely compromising the reliability and trustworthiness of image generation services (IGS). We propose a hijacking attack paradigm tailored to T2I-IP-DMs, substantially lowering the barrier for adversarial example construction. By analyzing the IP-Adapter architecture, leveraging open-source image encoders, and applying image-space adversarial perturbations, our method achieves over 92% attack success rates across multiple mainstream models. To counter this threat, we design a defense framework incorporating adversarial training, which effectively mitigates both false negatives and false positives inherent in existing detection approaches. This study reveals a critical vulnerability in multimodal alignment modules and provides both an actionable attack benchmark and a robust defensive strategy for secure T2I model deployment.

Recently, the Image Prompt Adapter (IP-Adapter) has been increasingly integrated into text-to-image diffusion models (T2I-DMs) to improve controllability. However, in this paper, we reveal that T2I-DMs equipped with the IP-Adapter (T2I-IP-DMs) enable a new jailbreak attack named the hijacking attack. We demonstrate that, by uploading imperceptible image-space adversarial examples (AEs), the adversary can hijack massive benign users to jailbreak an Image Generation Service (IGS) driven by T2I-IP-DMs and mislead the public to discredit the service provider. Worse still, the IP-Adapter's dependency on open-source image encoders reduces the knowledge required to craft AEs. Extensive experiments verify the technical feasibility of the hijacking attack. In light of the revealed threat, we investigate several existing defenses and explore combining the IP-Adapter with adversarially trained models to overcome existing defenses' limitations. Our code is available at https://github.com/fhdnskfbeuv/attackIPA.