Tree-Ring, a high-robustness watermarking technique for diffusion models, assumes security under black-box access; however, existing removal attacks require full model access, limiting practical threat assessment. Method: We propose a novel black-box watermark removal attack that leverages only a publicly available Variational Autoencoder (VAE)—without requiring access to the target diffusion model or its training data. Our method exploits VAE-based reconstruction of the diffusion model’s intermediate latent space to construct an efficient proxy attack framework. Contribution/Results: This work is the first to expose the watermark security risks arising from VAE reuse in diffusion pipelines. Experiments show that our attack severely degrades Tree-Ring detection performance: AUC drops from 0.993 to 0.153, and PR-AUC from 0.994 to 0.385, while preserving high visual fidelity. Notably, our VAE-only approach outperforms prior full-model-access baselines in both efficacy and practicality. This study provides critical insights into real-world watermark vulnerability and establishes a new evaluation paradigm for watermark robustness in diffusion models.

We present a novel attack specifically designed against Tree-Ring, a watermarking technique for diffusion models known for its high imperceptibility and robustness against removal attacks. Unlike previous removal attacks, which rely on strong assumptions about attacker capabilities, our attack only requires access to the variational autoencoder that was used to train the target diffusion model, a component that is often publicly available. By leveraging this variational autoencoder, the attacker can approximate the model's intermediate latent space, enabling more effective surrogate-based attacks. Our evaluation shows that this approach leads to a dramatic reduction in the AUC of Tree-Ring detector's ROC and PR curves, decreasing from 0.993 to 0.153 and from 0.994 to 0.385, respectively, while maintaining high image quality. Notably, our attacks outperform existing methods that assume full access to the diffusion model. These findings highlight the risk of reusing public autoencoders to train diffusion models -- a threat not considered by current industry practices. Furthermore, the results suggest that the Tree-Ring detector's precision, a metric that has been overlooked by previous evaluations, falls short of the requirements for real-world deployment.