In vertical federated learning (VFL), intermediate feature exchange poses severe privacy risks, yet existing data reconstruction attacks often rely on specific model architectures or gradient information, limiting their generalizability. To address this, we propose the Unified Inverse Network Framework for VFL (UIFV)—the first gradient-free and architecture-agnostic framework that enables end-to-end differentiable inversion of intermediate features for high-fidelity reconstruction of original inputs across diverse models and tasks. Evaluated on four benchmark datasets, UIFV consistently outperforms state-of-the-art methods, achieving reconstruction accuracy improvements of 12.7%–38.4%. This work provides the first systematic evidence that intermediate features in VFL inherently encode sufficient sensitive information, revealing a pervasive and practical privacy threat. Our findings establish a new benchmark for VFL privacy risk assessment and offer critical insights for designing robust defense mechanisms.

Vertical Federated Learning (VFL) facilitates collaborative machine learning without the need for participants to share raw private data. However, recent studies have revealed privacy risks where adversaries might reconstruct sensitive features through data leakage during the learning process. Although data reconstruction methods based on gradient or model information are somewhat effective, they reveal limitations in VFL application scenarios. This is because these traditional methods heavily rely on specific model structures and/or have strict limitations on application scenarios. To address this, our study introduces the Unified InverNet Framework into VFL, which yields a novel and flexible approach (dubbed UIFV) that leverages intermediate feature data to reconstruct original data, instead of relying on gradients or model details. The intermediate feature data is the feature exchanged by different participants during the inference phase of VFL. Experiments on four datasets demonstrate that our methods significantly outperform state-of-the-art techniques in attack precision. Our work exposes severe privacy vulnerabilities within VFL systems that pose real threats to practical VFL applications and thus confirms the necessity of further enhancing privacy protection in the VFL architecture.