🎉🎉🎉 Our paper has been accepted by AAAI 2026 Oral 🏆!
The proposed framework for generating Misbinding Prompt evaluation set and evaluating the safety of identity-preserving models.
The framework consists of four stages:
- Sensitive Term Expansion
Methodically broaden the vocabulary of sensitive terms. - Attribute Misbinding Attack
Programmatically create prompts via predefined strategies. - Diffusion Generation
Use prompts and identity reference images for synthesis. - Attribute Binding Safety Score Calculation
An MLLM assesses the output to calculate the final score.
Demonstration of the proposed Attribute Misbinding Attack against five leading identity-preserving models.
To avoid infringing upon the portrait rights of real individuals, all reference face images used in this demonstration are portraits generated by StyleGAN2.
The Identity-Preserving Models tested in the paper are as follows:
| Model | File name | Paper or technical report |
|---|---|---|
| UniPortrait | UniPortrait_gen.py | UniPortrait: A Unified Framework for Identity-Preserving Single- and Multi-Human Image Personalization [ICCV2025] |
| InfiniteYou | InfiniteYou_gen.py | InfiniteYou: Flexible Photo Recrafting While Preserving Your Identity [ICCV 2025 Highlight] |
| PuLID | PuLID_gen | PuLID: Pure and Lightning ID Customization via Contrastive Alignment [NeurIPS 2024] |
| PhotoMaker | PhotoMaker_gen.py | PhotoMaker: Customizing Realistic Human Photos via Stacked ID Embedding [CVPR 2024] |
| FLUX.1 Kontext | Flux-kontext_gen.py | FLUX.1 Kontext [dev] is a 12 billion parameter rectified flow transformer capable of editing images based on text instructions. |
The Text Filter used in the paper is as follows:
| Method | File name | GitHub/Hugging Face Pages |
|---|---|---|
| NSFW-TC | NSFW_TC.py | Fine-tuned DistilRoBERTa-base for NSFW Classification. |
| Latent Guard | LatenGuard_fliter.py | Democratic AI Safety: No one can define safety for all - Latent Guard helps you define yours. |
| Detoxify | detoxify_fliter.py | Toxic Comment Classification with ⚡ Pytorch Lightning and 🤗 Transformers. |
| LLM Template | qwen3_textfilen.py |
The detectors used for Safety Evaluation in the paper are as follows:
| Method | File name | GitHub/Hugging Face Pages |
|---|---|---|
| Q16 | q16_evalution.py | Can Machines Help Us Answering Question 16 in Datasheets, and In Turn Reflecting on Inappropriate Content? |
| Flux-Fliter | flux-fliter.py | Official inference repo for FLUX.1 models. |
| MLLM Template | mllm_imgfliter.py |
You can run the following script to configure the necessary environment:
conda create -n AMA python=3.10.4
conda activate AMA
pip install -r requirement.txt
python sensitive_term_expansion.py \
--input "/path/to/your/source_data.xlsx" \
--output "/path/to/your/custom_output.xlsx" \
--model_path "HuggingFace_User/Model_Name" \
--start_row x \
--end_row y
python Attribute_Misbinding_Attack/attribute_misbinding.py \
--input "/path/to/another/input.xlsx" \
--output "/path/to/results_500_1000.xlsx" \
--model "/path/to/your/local_model" \
--start x \
--end y
python Attribute_Misbinding_Attack/abss_calculate.py \
--input_xlsx "/path/to/another/input.xlsx" \
--image_dir "/path/to/your/images_directory" \
--model_path "/path/to/your/local_model" \
--prompt_col "my_prompts" \
--image_col "my_images" \
--start x \
--end y
This research would not have been possible without the generous contributions from the open-source community. We gratefully acknowledge the developers of the identity-preserving models (e.g., UniPortrait, PuLID, PhotoMaker) and the safety mechanisms (text filters and evaluation metrics) that served as the foundation for our experiments. Regarding data resources, we thank the authors of StyleGAN2 and CelebA-Dialog for providing high-quality synthesized and annotated face images.
If you find UniPortrait useful for your research and applications, please cite us using this BibTeX:
@misc{fu2025unveiling,
title={Unveiling the Attribute Misbinding Threat in Identity-Preserving Models},
author={Junming Fu and Jishen Zeng and Yi Jiang and Peiyu Zhuang and Baoying Chen and Siyu Lu and Jianquan Yang},
year={2025},
eprint={2512.15818},
archivePrefix={arXiv},
primaryClass={cs.CR}
}