Disclaimer: This paper contains NSFW imagery that might be offensive to some readers.
_01.png)
Identity-preserving models have led to notable progress in generating personalized content. Unfortunately, such models also exacerbate risks when misused, for instance, by generating threatening content targeting specific individuals. This paper introduces the Attribute Misbinding Attack, a novel method that poses a threat to identity-preserving models by inducing them to produce Not-Safe-For-Work (NSFW) content. The attack's core idea involves crafting benign-looking textual prompts to circumvent text-filter safeguards and leverage a key model vulnerability: flawed attribute binding that stems from its internal attention bias. This results in misattributing harmful descriptions to a target identity and generating NSFW outputs. To facilitate the study of this attack, we present the Misbinding Prompt evaluation set, which examines the content generation risks of current state-of-the-art identity-preserving models across four risk dimensions: pornography, violence, discrimination, and illegality. Additionally, we introduce the Attribute Binding Safety Score (ABSS), a metric for concurrently assessing both content fidelity and safety compliance. Experimental results show that our Misbinding Prompt evaluation set achieves a 5.28% higher success rate in bypassing five leading text filters (including GPT-4o) compared to existing main-stream evaluation sets, while also demonstrating the highest proportion of NSFW content generation. The proposed ABSS metric enables a more comprehensive evaluation of identity-preserving models by concurrently assessing both content fidelity and safety compliance.
The proposed framework for generating Misbinding Prompt evaluation set and evaluating the safety of identity-preserving models. The framework consists of four stages: (1) Sensitive Term Expansion, to methodically broaden the vocabulary of sensitive terms; (2) Attribute Misbinding Attack, to programmatically create prompts via predefined strategies; (3) Diffusion Generation, to use prompts and identity reference images for synthesis; (4) Attribute Binding Safety Score Calculation, where an MLLM assesses the output to calculate the final score.
The model erroneously binds sensitive attributes intended for the background or objects to the main human subject, thereby generating NSFW content.
ABSS (Attribute Binding Safety Score) is a comprehensive metric developed to concurrently assess both content fidelity and safety compliance, quantifying the model's ability to avoid misattributing sensitive descriptors to the target identity.
This research would not have been possible without the generous contributions from the open-source community. We gratefully acknowledge the developers of the identity-preserving models (e.g., UniPortrait, PuLID, PhotoMaker) and the safety mechanisms (text filters and evaluation metrics) that served as the foundation for our experiments. Regarding data resources, we thank the authors of StyleGAN2 and CelebA-Dialog for providing high-quality synthesized and annotated face images.
@misc{fu2025unveiling,
title={Unveiling the Attribute Misbinding Threat in Identity-Preserving Models},
author={Junming Fu and Jishen Zeng and Yi Jiang and Peiyu Zhuang and Baoying Chen and Siyu Lu and Jianquan Yang},
year={2025},
eprint={2512.15818},
archivePrefix={arXiv},
primaryClass={cs.CR}
}