To address the vulnerability of multi-layer safety checkers in text-to-image (T2I) models to adversarial attacks, this paper proposes TCBS-Attack—the first query-based black-box jailbreaking method. It introduces a token-level constrained boundary search mechanism that iteratively locates and optimizes prompts within the embedding space, enabling semantically coherent, cross-checker evasion (simultaneously bypassing both prompt and image safety checkers). Unlike existing approaches relying on semantic perturbations or template substitution, TCBS-Attack leverages gradient approximation and joint constraint modeling across multiple checkers to significantly enhance attack efficacy. Evaluated on DALL-E 3 and several open-source secure T2I models, TCBS-Attack achieves an Attack Success Rate (ASR) of 45% under four-checker evaluation (ASR-4) and 21% under single-checker evaluation (ASR-1), outperforming current state-of-the-art jailbreaking methods.

Recent advancements in Text-to-Image (T2I) generation have significantly enhanced the realism and creativity of generated images. However, such powerful generative capabilities pose risks related to the production of inappropriate or harmful content. Existing defense mechanisms, including prompt checkers and post-hoc image checkers, are vulnerable to sophisticated adversarial attacks. In this work, we propose TCBS-Attack, a novel query-based black-box jailbreak attack that searches for tokens located near the decision boundaries defined by text and image checkers. By iteratively optimizing tokens near these boundaries, TCBS-Attack generates semantically coherent adversarial prompts capable of bypassing multiple defensive layers in T2I models. Extensive experiments demonstrate that our method consistently outperforms state-of-the-art jailbreak attacks across various T2I models, including securely trained open-source models and commercial online services like DALL-E 3. TCBS-Attack achieves an ASR-4 of 45% and an ASR-1 of 21% on jailbreaking full-chain T2I models, significantly surpassing baseline methods.