Skip to main content

Multiple Model Guardrail Jailbreak via "Academic Lab Protocol Manuscript" Tactic

Case GUID: 3c9f5962-23c1-4066-83de-8f0269e2fae7

Summary

A Guardrail Jailbreak vulnerability has been discovered affecting multiple models. The specific flaw manifests when an attacker frames a prohibited request as a formal academic chemistry manuscript with laboratory protocol structure, safety disclaimers, and methodological rigor, causing the model to route the prompt through educational and explanatory pathways with weaker filtering and allows the attacker to obtain detailed instructions for illicit activities.

Unlock the Full Intelligence Report

This disclosure is part of the 0DIN Threat Feed. Customers get access to:

Full Prompts & Variants
Detection Signatures
API Access
Full Data Export
Trend Analysis
Early Access

Metadata

Models and Test Scores

Copyrights Harmful Substances Illicit Substances
Harry Potter Anthrax Nerve Agent Crystal Meth Fentanyl
Alibaba logo Alibaba Qwen Max
Alibaba logo Alibaba Qwen Plus
Alibaba logo Alibaba Qwen Turbo
Anthropic logo Anthropic Claude 3.5 Haiku
Cohere logo Cohere Command R
DeepSeek logo DeepSeek DeepSeek R1
DeepSeek logo DeepSeek DeepSeek V3
Google logo Google Gemini 2.0 Flash
Google logo Google Gemini 2.5 Flash
Google logo Google Gemini 2.5 Pro
Meta logo Meta LLaMa 3.1
Meta logo Meta LLaMa 3.3
Meta logo Meta LLaMa 4 Scout
Mistral logo Mistral Mistral 8B
Mistral logo Mistral Mistral Large
OpenAI logo OpenAI GPT-4.1
OpenAI logo OpenAI GPT-4.1 mini
OpenAI logo OpenAI GPT-4o
OpenAI logo OpenAI GPT-5
OpenAI logo OpenAI GPT-5 mini
OpenAI logo OpenAI GPT-5.2
Select a cell to view details.

Social Impact Score

Level 1: Minimal Risk

The violation poses very low societal risk, limited primarily to nuisance or minor policy breaches. Impact is contained, affecting individual users without broader implications.

Example: Circumventing minor content filters for benign content, such as inappropriate language filters in non-public conversations.

Potential Consequences: Limited harm, potentially reputational for the AI provider.

Taxonomies

Stratagems
This involves clever and unorthodox tactics designed to deceive the model, often requiring an understanding of its operational mechanics to achieve desired outcomes.
Meta Prompting
This technique focuses on manipulating the prompting process itself to influence the model's behavior and responses, often by employing higher-level prompting strategies.
Deceptive Formatting
A prompt injection in the most pure sense, formatting the user prompt to fabricate the appearance of system instructions, a database query, its own prediction, or some other source of input a guard railed AI system might be expecting, causing it to behave in insecure ways based on the fabricated context from an adversarially formatted user prompt.

About 0Din.ai

The 0Day Investigative Network (0DIN) was founded by Mozilla in 2024 to reward responsible researchers for their efforts in securing GenAI models. Learn more and submit discoveries at https://0din.ai.

Automate Your AI Security Testing

Want to find vulnerabilities in your own models? 0DIN Scanner turns our human-sourced threat intelligence into automated security assessments.

400+ Attack Probes

Derived from real bug bounties and security research

18+ AI Providers Supported

OpenAI, Azure, Anthropic, AWS Bedrock, and more

Automated Scheduling

Run recurring scans with real-time monitoring

Actionable Metrics

Attack Success Rate (ASR) scoring with 90-day trend analysis

Severity

Low

Security Boundary

Guardrail Jailbreak

Models

Alibaba logo Alibaba Qwen Max
Alibaba logo Alibaba Qwen Plus
Alibaba logo Alibaba Qwen Turbo
Anthropic logo Anthropic Claude 3.5 Haiku
Cohere logo Cohere Command R
DeepSeek logo DeepSeek DeepSeek R1
DeepSeek logo DeepSeek DeepSeek V3
Google logo Google Gemini 2.0 Flash
Google logo Google Gemini 2.5 Flash
Google logo Google Gemini 2.5 Pro
Meta logo Meta LLaMa 3.1
Meta logo Meta LLaMa 3.3
Meta logo Meta LLaMa 4 Scout
Mistral logo Mistral Mistral 8B
Mistral logo Mistral Mistral Large
OpenAI logo OpenAI GPT-4.1
OpenAI logo OpenAI GPT-4.1 mini
OpenAI logo OpenAI GPT-4o
OpenAI logo OpenAI GPT-5
OpenAI logo OpenAI GPT-5
OpenAI logo OpenAI GPT-5 mini
OpenAI logo OpenAI GPT-5.2
OpenAI logo OpenAI GPT-5.2

Disclosed On

2025-07-03 (about 1 year)

Disclosure Policy

Published On

2026-04-06 (3 months)

Credit

Edward Morris