Diffusion model approximation caching significantly reduces generation overhead but compromises isolation by sharing intermediate states across users, introducing novel security risks. This paper presents the first systematic security analysis of such caching mechanisms, proposing three novel attacks: (1) a remote covert channel exploiting cache-hit side channels; (2) prompt recovery via semantic similarity matching and reverse engineering to reconstruct sensitive inputs; and (3) targeted cache poisoning to persistently inject malicious content. Experimental evaluation demonstrates that these attacks successfully recover user prompts and achieve content contamination even in remote settings days after initial exposure. Results expose critical security flaws in existing caching optimizations for diffusion models. This work provides foundational insights, concrete attack vectors, and an essential security evaluation benchmark for secure design of generative AI services.

Diffusion models are a powerful class of generative models that produce content, such as images, from user prompts, but they are computationally intensive. To mitigate this cost, recent academic and industry work has adopted approximate caching, which reuses intermediate states from similar prompts in a cache. While efficient, this optimization introduces new security risks by breaking isolation among users. This work aims to comprehensively assess new security vulnerabilities arising from approximate caching. First, we demonstrate a remote covert channel established with the cache, where a sender injects prompts with special keywords into the cache and a receiver can recover that even after days, to exchange information. Second, we introduce a prompt stealing attack using the cache, where an attacker can recover existing cached prompts based on cache hit prompts. Finally, we introduce a poisoning attack that embeds the attacker's logos into the previously stolen prompt, to render them in future user prompts that hit the cache. These attacks are all performed remotely through the serving system, which indicates severe security vulnerabilities in approximate caching.