Current multimodal text-to-image systems exhibit weak defenses against jailbreak attacks and are easily circumvented. This work proposes the first adaptive jailbreaking framework based on past-tense reconstruction, which dynamically identifies model vulnerability windows through temporal context enhancement and iterative prompt refinement, while leveraging large language models to quantify potential harm. The approach is gradient-free, applicable in black-box settings, and supports cross-model transferability. Evaluated on Gemini Nano Banana Pro, GPT Image 2, and SD XL, it achieves attack success rates of 83%, 67%, and 100%, respectively, with cross-model transfer success exceeding 50%. The method successfully generates diverse high-risk content and introduces the first open-source red-teaming evaluation benchmark for multimodal generative models.

Jailbreak attacks on multimodal AI systems remain underexplored, even though unsafe image generation can have more severe consequences than unsafe text and current defenses are relatively immature. We introduce PAST2HARM, a simple yet effective adaptive jailbreak framework that bypasses refusal training in state of the art multimodal text to image models. Building on prior findings that past tense reformulations can evade safeguards, PAST2HARM systematically exploits this vulnerability in multimodal generative AI. We characterize the attack along two dimensions. First, breadth: through temporal deepening, the framework incrementally strengthens historical anchoring and archival cues, eroding refusal boundaries across models with varying alignment strength. Second, depth: via iterative escalation after initial compliance, we probe the upper bound of harmful generation, measuring severity using a scalar severity jailbreak metric evaluated by a language model acting as a judge. We find that mid conversation turns form peak vulnerability windows, where harmfulness increases before plateauing and eventually undergoing semantic inversion. We evaluate PAST2HARM on three models Gemini Nano Banana Pro, GPT Image 2, and SD XL achieving attack success rates of 83 percent, 67 percent, and 100 percent in a black box, gradient free setting. Adversarial prompts also transfer across models, with cross model success rates above 50 percent. The attack elicits diverse harmful outputs, including explicit sexual content, political disinformation, historical denial narratives, hate speech, and self harm glorification. We further release a curated benchmark of prompts, reformulations, and outputs as a resource for red teaming and alignment. Our results expose fundamental brittleness in current safeguards and highlight the need for stronger multimodal safety training.