This work exposes the severe vulnerability of tabular foundation models—including TabPFN and TabICL—to structured adversarial perturbations during inference, and reports the first discovery that such perturbations can be exploited to generate cross-model transferable evasion attacks. To address this, we propose a novel weight-free, context-level adversarial training paradigm: it dynamically substitutes context examples with adversarial instances and jointly optimizes adversarial contextual learning with context reweighting. Evaluated on three real-world benchmarks—finance, cybersecurity, and healthcare—the method substantially improves model robustness against structured attacks. Moreover, it successfully generates highly transferable adversarial examples that evade traditional models including Random Forest and XGBoost. Our approach provides both a new conceptual framework and practical tools for security evaluation and robust training of tabular foundation models.

Recent tabular Foundational Models (FM) such as TabPFN and TabICL, leverage in-context learning to achieve strong performance without gradient updates or fine-tuning. However, their robustness to adversarial manipulation remains largely unexplored. In this work, we present a comprehensive study of the adversarial vulnerabilities of tabular FM, focusing on both their fragility to targeted test-time attacks and their potential misuse as adversarial tools. We show on three benchmarks in finance, cybersecurity and healthcare, that small, structured perturbations to test inputs can significantly degrade prediction accuracy, even when training context remain fixed. Additionally, we demonstrate that tabular FM can be repurposed to generate transferable evasion to conventional models such as random forests and XGBoost, and on a lesser extent to deep tabular models. To improve tabular FM, we formulate the robustification problem as an optimization of the weights (adversarial fine-tuning), or the context (adversarial in-context learning). We introduce an in-context adversarial training strategy that incrementally replaces the context with adversarial perturbed instances, without updating model weights. Our approach improves robustness across multiple tabular benchmarks. Together, these findings position tabular FM as both a target and a source of adversarial threats, highlighting the urgent need for robust training and evaluation practices in this emerging paradigm.