Papers
Topics
Authors
Recent
Search
2000 character limit reached

Transient Turn Injection: Exposing Stateless Multi-Turn Vulnerabilities in Large Language Models

Published 23 Apr 2026 in cs.CR and cs.AI | (2604.21860v1)

Abstract: LLMs are increasingly integrated into sensitive workflows, raising the stakes for adversarial robustness and safety. This paper introduces Transient Turn Injection(TTI), a new multi-turn attack technique that systematically exploits stateless moderation by distributing adversarial intent across isolated interactions. TTI leverages automated attacker agents powered by LLMs to iteratively test and evade policy enforcement in both commercial and open-source LLMs, marking a departure from conventional jailbreak approaches that typically depend on maintaining persistent conversational context. Our extensive evaluation across state-of-the-art models-including those from OpenAI, Anthropic, Google Gemini, Meta, and prominent open-source alternatives-uncovers significant variations in resilience to TTI attacks, with only select architectures exhibiting substantial inherent robustness. Our automated blackbox evaluation framework also uncovers previously unknown model specific vulnerabilities and attack surface patterns, especially within medical and high stakes domains. We further compare TTI against established adversarial prompting methods and detail practical mitigation strategies, such as session level context aggregation and deep alignment approaches. Our study underscores the urgent need for holistic, context aware defenses and continuous adversarial testing to future proof LLM deployments against evolving multi-turn threats.

Authors (2)

Summary

  • The paper introduces Transient Turn Injection (TTI) as a novel adversarial strategy that fragments sensitive prompts into isolated queries to bypass per-turn defenses.
  • Empirical evaluations reveal significant safety variances, with models like Gemini variants showing over 30% unsafe response rates under TTI conditions.
  • The study advocates for session-level moderation and deep base model alignment, such as Constitutional AI, as essential defenses against multi-turn adversarial exploits.

Transient Turn Injection: Exposing Stateless Multi-Turn Vulnerabilities in LLMs

Introduction

This work systematically investigates a novel adversarial prompt attack paradigm, termed Transient Turn Injection (TTI), against stateless moderation mechanisms in LLMs. TTI is designed to bypass per-turn safety filters by decomposing adversarial intents into sequences of queries, each issued in an isolated context, thus targeting the growing prevalence of stateless or context-truncated LLM deployments. The research demonstrates that current state-of-the-art models, including proprietary and open-source solutions, exhibit substantial variance in robustness when evaluated under this threat model, with only certain architectures providing measurable inherent resistance. This essay provides a detailed technical summary, highlighting empirical findings and theoretical implications.

Threat Model and Attack Formulation

TTI departs fundamentally from context-dependent jailbreaks and classic multi-turn adversarial prompting. Here, the attacker operates under a restricted, black-box setting:

  • Stateless API: No conversational or session memory is assumed; each prompt is a fresh interaction.
  • Adaptive Attacker Agent: An external LLM adaptively generates the next input using only the immediate previous response, never accessing full history.
  • Per-turn Moderation: Defender LLMs leverage stateless safety classifiers that independently screen each prompt–response pair.

Under these constraints, TTI incrementally reconstructs sensitive information, ensuring that each isolated query remains below the detection threshold, but the aggregate effect enables policy circumvention. Figure 1

Figure 1: TTI prompt evaluation pipeline where adversarial queries are distributed across stateless LLM turns and orchestrated by an attacker model.

Figure 2

Figure 2: Abstract threat model—three-phase adversarial loop of attacker preparation, multi-turn interaction, and exploitation.

Evaluation Framework and Empirical Results

A scalable automated pipeline was implemented for black-box TTI evaluation, leveraging attacker LLMs (e.g., Gemini-2.0-Flash) and defender models across API endpoints. The benchmark included commercial (OpenAI GPT-4o/4.1, Anthropic Claude-3.5-Haiku, Google Gemini, Meta LLaMA-4, DeepSeek, Mistral) and open-source models.

Safety Metrics

For each model, prompt–response safety outcomes were systematically classified using an external automated policy. Key metrics:

  • Safe Response Rate: Percentage of defender responses free from policy violations.
  • Unsafe Response Rate: Percentage of responses violating safety standards. Figure 3

    Figure 3: Safe response rates across all evaluated models, highlighting high variance and identification of robust architectures.

    Figure 4

    Figure 4: Unsafe response rates reveal classes of models (notably Gemini and some Mistral variants) failing in over 30% of adversarial cases.

Observations

  • Anthropic Claude-3.5-Haiku leads with a 98% safe response rate, followed closely by GPT-4 variants (≥92%).
  • Gemini-2.0-Flash, Gemini-1.5-Flash, and derivatives demonstrate only 60–66% safe response rates, with unsafe rates up to 40%, revealing significant susceptibility to TTI.

Vulnerability Category Analysis

A fine-grained categorization of model failures was conducted, with a focus on high-stakes domains:

  • Medical, Harmful, Unlawful, Adult, Unauthorized Practice
    • These categories were recurrently breached by all evaluated models, including most that otherwise passed basic safety audits.
    • Figure 5
    • Figure 5: Bipartite network, models (blue) connected to vulnerability categories (yellow) in which they were compromised by TTI.

  • Political, Misleading, Government vulnerabilities were less prevalent, indicating attack-style and domain specificity influences exploitability.

Comparative Ablation: TTI vs. PAIR

TTI was contrasted with Prompt Automatic Iterative Refinement (PAIR)—an established multi-turn, context-aware attack:

  • TTI consistently outpaces PAIR, especially against Gemini series and LLaMA-4, with TTI vulnerability hits 2-4× those of PAIR.
  • Only Claude-3.5-Haiku approaches genuine TTI resistance (2/40 TTI success rate), supporting claims that deep-alignment (Constitutional AI/RLAIF) at the base model level materially mitigates even stateless threats. Figure 6

    Figure 6: Horizontal grouped bar chart contrasting TTI and PAIR vulnerability hits, making explicit the differential resilience.

Defense Strategies and Mitigation Directions

Defensive maneuvers highlighted include:

  • Deep base model constitutional alignment (RLAIF): Emerges as the only robust solution against TTI, conferring nuance in refusal and immunity to stateless query decomposition.
  • Session-level/context-aware moderation: Aggregating risk over interaction sequences, rather than single turns, is effective but computationally and infrastructurally demanding.
  • Aggregate risk scoring and anomaly detection: User- and session-level analytics can flag distributed probing.
  • Adaptive rate limiting and user bans: Particularly effective against TTI, as attacks depend on session restarts after each filter trigger.

Empirical evidence underscores that post-hoc, stateless moderation is insufficient when attackers orchestrate persistent probing via adaptive agents, a threat amplified as multimodal LLMs and wider deployment contexts increase attack surface dimensionality.

Limitations and Future Directions

The evaluation is contingent on available attack techniques, automated policy oracles for judging safety violations, and API rate/cost constraints. TTI attack efficacy against future multimodal, cross-lingual, or context-rich LLM platforms remains a critical unknown. Additionally, the proprietary nature of some defender models’ alignment schemes (e.g., Anthropic’s RLAIF/Constitutional AI) limits reproducibility.

Anticipated vectors involve automated, orchestrated botnets executing TTI across modalities and users, requiring continuous adversarial testing and dynamic, session-spanning analytics for effective mitigation.

Conclusion

This study demonstrates that Transient Turn Injection is a high-impact adversarial prompt strategy that exposes the frailty of stateless, per-turn moderation in modern LLMs. Only architectures deeply aligned through principled RL-based safety (e.g., Constitutional AI) offer significant resistance. The heterogeneity in TTI susceptibility across commercial and open-source models affirms the necessity of session-level, context-sensitive, and aggregate-risk approaches to model safety. For deployment in high-stakes verticals, especially healthcare and security, LLM providers must go beyond legacy guardrails and confront the evolving reality of adaptive, stateless, multi-turn threats.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 3 tweets with 0 likes about this paper.