This work exposes a critical vulnerability in the safety filtering mechanisms of current text-to-image models, which fail to robustly prevent the generation of politically sensitive content and can be exploited for disinformation. The study presents the first black-box political jailbreaking framework that exploits the contextual linguistic dependency limitations of safety filters—specifically their inadequate handling of political sensitivity across varied phrasings. By integrating identity-preserving prompt mapping with a geopolitically distant translation strategy, the method effectively bypasses safety safeguards in GPT-based text-to-image systems. Evaluated on 240 sensitive prompts involving 36 public figures, the approach achieves an 86% attack success rate, substantially outperforming existing techniques and revealing a pressing risk in the governance of multimodal generative AI regarding political content.

The rapid evolution of text-to-image (T2I) models has enabled high-fidelity visual synthesis on a global scale. However, these advancements have introduced significant security risks, particularly regarding the generation of harmful content. Politically harmful content, such as fabricated depictions of public figures, poses severe threats when weaponized for fake news or propaganda. Despite its criticality, the robustness of current T2I safety filters against such politically motivated adversarial prompting remains underexplored. In response, we propose $PC^2$, the first black-box political jailbreaking framework for T2I models. It exploits a novel vulnerability where safety filters evaluate political sensitivity based on linguistic context. $PC^2$ operates through: (1) Identity-Preserving Descriptive Mapping to obfuscate sensitive keywords into neutral descriptions, and (2) Geopolitically Distal Translation to map these descriptions into fragmented, low-sensitivity languages. This strategy prevents filters from constructing toxic relationships between political entities within prompts, effectively bypassing detection. We construct a benchmark of 240 politically sensitive prompts involving 36 public figures. Evaluation on commercial T2I models, specifically GPT-series, shows that while all original prompts are blocked, $PC^2$ achieves attack success rates of up to 86%.