@inproceedings{han-etal-2026-msia,
title = "{MSIA}: Adaptive Medical Multimodal Multi-turn Semantic Jailbreak",
author = "Han, Zhiheng and
Zhang, Yao and
Wang, Jun and
Yang, Zhenglu",
editor = "Liakata, Maria and
Moreira, Viviane P. and
Zhang, Jiajun and
Jurgens, David",
booktitle = "Findings of the {A}ssociation for {C}omputational {L}inguistics: {ACL} 2026",
month = jul,
year = "2026",
address = "San Diego, California, United States",
publisher = "Association for Computational Linguistics",
url = "https://aclanthology.org/2026.findings-acl.1096/",
doi = "10.18653/v1/2026.findings-acl.1096",
pages = "21791--21806",
ISBN = "979-8-89176-395-1",
abstract = "Medical multimodal large language models are increasingly deployed in high-stakes clinical settings, yet current safety evaluations largely overlook a critical failure mode: covert semantic drift that accumulates across clinically plausible multi-turn interactions. Such drift can lead models to gradually exaggerate or conceal critical medical findings without triggering explicit safety mechanisms. We propose MSIA (Medical Semantic Infiltration Attack), a framework for modeling and inducing multi-turn medical semantic jailbreaks in clinical dialogues. MSIA enables the controlled optimization of cumulative semantic drift under stealth constraints through adaptive strategy selection and closed-loop reward feedback grounded in medical evidence. Experiments on chest X-ray{--}based multimodal medical dialogues show that MSIA consistently outperforms existing jailbreak methods across GPT-4o, Claude, and Gemini, achieving an average attack success rate of 76.67{\%}. These results expose substantial and previously underestimated vulnerabilities of medical LLMs in realistic multi-turn clinical interactions. Code is available here: https://github.com/HeYamo/MSIA."
}<?xml version="1.0" encoding="UTF-8"?>
<modsCollection xmlns="http://www.loc.gov/mods/v3">
<mods ID="han-etal-2026-msia">
<titleInfo>
<title>MSIA: Adaptive Medical Multimodal Multi-turn Semantic Jailbreak</title>
</titleInfo>
<name type="personal">
<namePart type="given">Zhiheng</namePart>
<namePart type="family">Han</namePart>
<role>
<roleTerm authority="marcrelator" type="text">author</roleTerm>
</role>
</name>
<name type="personal">
<namePart type="given">Yao</namePart>
<namePart type="family">Zhang</namePart>
<role>
<roleTerm authority="marcrelator" type="text">author</roleTerm>
</role>
</name>
<name type="personal">
<namePart type="given">Jun</namePart>
<namePart type="family">Wang</namePart>
<role>
<roleTerm authority="marcrelator" type="text">author</roleTerm>
</role>
</name>
<name type="personal">
<namePart type="given">Zhenglu</namePart>
<namePart type="family">Yang</namePart>
<role>
<roleTerm authority="marcrelator" type="text">author</roleTerm>
</role>
</name>
<originInfo>
<dateIssued>2026-07</dateIssued>
</originInfo>
<typeOfResource>text</typeOfResource>
<relatedItem type="host">
<titleInfo>
<title>Findings of the Association for Computational Linguistics: ACL 2026</title>
</titleInfo>
<name type="personal">
<namePart type="given">Maria</namePart>
<namePart type="family">Liakata</namePart>
<role>
<roleTerm authority="marcrelator" type="text">editor</roleTerm>
</role>
</name>
<name type="personal">
<namePart type="given">Viviane</namePart>
<namePart type="given">P</namePart>
<namePart type="family">Moreira</namePart>
<role>
<roleTerm authority="marcrelator" type="text">editor</roleTerm>
</role>
</name>
<name type="personal">
<namePart type="given">Jiajun</namePart>
<namePart type="family">Zhang</namePart>
<role>
<roleTerm authority="marcrelator" type="text">editor</roleTerm>
</role>
</name>
<name type="personal">
<namePart type="given">David</namePart>
<namePart type="family">Jurgens</namePart>
<role>
<roleTerm authority="marcrelator" type="text">editor</roleTerm>
</role>
</name>
<originInfo>
<publisher>Association for Computational Linguistics</publisher>
<place>
<placeTerm type="text">San Diego, California, United States</placeTerm>
</place>
</originInfo>
<genre authority="marcgt">conference publication</genre>
<identifier type="isbn">979-8-89176-395-1</identifier>
</relatedItem>
<abstract>Medical multimodal large language models are increasingly deployed in high-stakes clinical settings, yet current safety evaluations largely overlook a critical failure mode: covert semantic drift that accumulates across clinically plausible multi-turn interactions. Such drift can lead models to gradually exaggerate or conceal critical medical findings without triggering explicit safety mechanisms. We propose MSIA (Medical Semantic Infiltration Attack), a framework for modeling and inducing multi-turn medical semantic jailbreaks in clinical dialogues. MSIA enables the controlled optimization of cumulative semantic drift under stealth constraints through adaptive strategy selection and closed-loop reward feedback grounded in medical evidence. Experiments on chest X-ray–based multimodal medical dialogues show that MSIA consistently outperforms existing jailbreak methods across GPT-4o, Claude, and Gemini, achieving an average attack success rate of 76.67%. These results expose substantial and previously underestimated vulnerabilities of medical LLMs in realistic multi-turn clinical interactions. Code is available here: https://github.com/HeYamo/MSIA.</abstract>
<identifier type="citekey">han-etal-2026-msia</identifier>
<identifier type="doi">10.18653/v1/2026.findings-acl.1096</identifier>
<location>
<url>https://aclanthology.org/2026.findings-acl.1096/</url>
</location>
<part>
<date>2026-07</date>
<extent unit="page">
<start>21791</start>
<end>21806</end>
</extent>
</part>
</mods>
</modsCollection>
%0 Conference Proceedings
%T MSIA: Adaptive Medical Multimodal Multi-turn Semantic Jailbreak
%A Han, Zhiheng
%A Zhang, Yao
%A Wang, Jun
%A Yang, Zhenglu
%Y Liakata, Maria
%Y Moreira, Viviane P.
%Y Zhang, Jiajun
%Y Jurgens, David
%S Findings of the Association for Computational Linguistics: ACL 2026
%D 2026
%8 July
%I Association for Computational Linguistics
%C San Diego, California, United States
%@ 979-8-89176-395-1
%F han-etal-2026-msia
%X Medical multimodal large language models are increasingly deployed in high-stakes clinical settings, yet current safety evaluations largely overlook a critical failure mode: covert semantic drift that accumulates across clinically plausible multi-turn interactions. Such drift can lead models to gradually exaggerate or conceal critical medical findings without triggering explicit safety mechanisms. We propose MSIA (Medical Semantic Infiltration Attack), a framework for modeling and inducing multi-turn medical semantic jailbreaks in clinical dialogues. MSIA enables the controlled optimization of cumulative semantic drift under stealth constraints through adaptive strategy selection and closed-loop reward feedback grounded in medical evidence. Experiments on chest X-ray–based multimodal medical dialogues show that MSIA consistently outperforms existing jailbreak methods across GPT-4o, Claude, and Gemini, achieving an average attack success rate of 76.67%. These results expose substantial and previously underestimated vulnerabilities of medical LLMs in realistic multi-turn clinical interactions. Code is available here: https://github.com/HeYamo/MSIA.
%R 10.18653/v1/2026.findings-acl.1096
%U https://aclanthology.org/2026.findings-acl.1096/
%U https://doi.org/10.18653/v1/2026.findings-acl.1096
%P 21791-21806
Markdown (Informal)
[MSIA: Adaptive Medical Multimodal Multi-turn Semantic Jailbreak](https://aclanthology.org/2026.findings-acl.1096/) (Han et al., Findings 2026)
ACL