How to efficiently and stealthily inject general-purpose jailbreaking capabilities into an already safety-aligned large language model (LLM) without retraining or poisoned data, while preserving its safety and response quality on benign queries? Method: We propose JailbreakEdit, the first method to employ multi-node target-space estimation for precise identification of the jailbreaking semantic subspace, coupled with semantic attention hijacking to construct a lightweight, interpretable parameter-editing path. Results: JailbreakEdit achieves editing in minutes, attains high attack success rates across diverse jailbreaking prompts, and preserves both the safety alignment and generation quality on normal queries—outperforming existing backdoor and jailbreaking approaches by a significant margin.

Jailbreak backdoor attacks on LLMs have garnered attention for their effectiveness and stealth. However, existing methods rely on the crafting of poisoned datasets and the time-consuming process of fine-tuning. In this work, we propose JailbreakEdit, a novel jailbreak backdoor injection method that exploits model editing techniques to inject a universal jailbreak backdoor into safety-aligned LLMs with minimal intervention in minutes. JailbreakEdit integrates a multi-node target estimation to estimate the jailbreak space, thus creating shortcuts from the backdoor to this estimated jailbreak space that induce jailbreak actions. Our attack effectively shifts the models' attention by attaching strong semantics to the backdoor, enabling it to bypass internal safety mechanisms. Experimental results show that JailbreakEdit achieves a high jailbreak success rate on jailbreak prompts while preserving generation quality, and safe performance on normal queries. Our findings underscore the effectiveness, stealthiness, and explainability of JailbreakEdit, emphasizing the need for more advanced defense mechanisms in LLMs.