Existing gradient inversion attacks (GIAs) in federated learning struggle to reconstruct high-resolution images from large local batch sizes and cannot semantically target specific private samples. To address this, we propose the first language-guided targeted gradient inversion paradigm: leveraging a pre-trained vision-language model (VLM) to map natural language descriptions into a shared semantic space, and integrating gradient distillation with adversarial reconstruction optimization—augmented by semantic similarity constraints derived from global model updates. This approach breaks the conventional GIA dependency on full-batch data, enabling controllable reconstruction of high-value semantic categories. On complex benchmarks under large-batch settings, our method achieves a targeted reconstruction success rate of 92.7%. Moreover, it demonstrates strong robustness against mainstream defenses, including differential privacy and SignSGD.

Foundation models that bridge vision and language have made significant progress, inspiring numerous life-enriching applications. However, their potential for misuse to introduce new threats remains largely unexplored. This paper reveals that vision-language models (VLMs) can be exploited to overcome longstanding limitations in gradient inversion attacks (GIAs) within federated learning (FL), where an FL server reconstructs private data samples from gradients shared by victim clients. Current GIAs face challenges in reconstructing high-resolution images, especially when the victim has a large local data batch. While focusing reconstruction on valuable samples rather than the entire batch is promising, existing methods lack the flexibility to allow attackers to specify their target data. In this paper, we introduce Geminio, the first approach to transform GIAs into semantically meaningful, targeted attacks. Geminio enables a brand new privacy attack experience: attackers can describe, in natural language, the types of data they consider valuable, and Geminio will prioritize reconstruction to focus on those high-value samples. This is achieved by leveraging a pretrained VLM to guide the optimization of a malicious global model that, when shared with and optimized by a victim, retains only gradients of samples that match the attacker-specified query. Extensive experiments demonstrate Geminio's effectiveness in pinpointing and reconstructing targeted samples, with high success rates across complex datasets under FL and large batch sizes and showing resilience against existing defenses.