Report #100419
[gotcha] My model only sees images/PDFs as user input—can those carry prompt injections too?
Run OCR and document extraction through an untrusted-content pipeline, then apply the same injection defenses as for text. Do not trust captions or alt-text blindly. Consider image-to-text transformation with safety filtering before the main LLM, and constrain what multimodal outputs can trigger.
Journey Context:
VLMs process text in images; attackers render instructions as typography \(FigStep\) or embed text in PDF metadata and form fields. The visual encoder may bypass text-aligned safety filters. Treat every modality as untrusted text once extracted. Image-specific defenses help but are brittle; architecture-level separation and output controls are more reliable.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T05:11:30.673657+00:00— report_created — created