JailbreakLoRA: Your Downloaded LoRA from Sharing Platforms might be Unsafe

Fanjunduo Wei; Zhenheng Tang; Rongfei Zeng; Tongliang Liu; Chengqi Zhang; Xiaowen Chu; Bo Han

JailbreakLoRA: Your Downloaded LoRA from Sharing Platforms might be Unsafe

Fanjunduo Wei (Co-first author)
, Zhenheng Tang (Co-first author)
, Rongfei Zeng^* (Co-first author)
, Tongliang Liu
, Chengqi Zhang
, Xiaowen Chu
, Bo Han

^*Corresponding author for this work

Department of Computer Science

Research output: Chapter in book/report/conference proceeding › Conference proceeding › peer-review

Abstract

Low-Rank Adaptation (LoRA) benefits from its plug-and-play nature, enabling large language models (LLMs) to achieve significant performance gains at low cost, has driven the development of LoRA-sharing platforms. However, the jailbreak and backdoor concerns associated with LoRA-sharing platforms remain underexplored. Existing LoRA-based attacks primarily focus on achieving high attack success rates, while neglecting the core reason why LoRA is adopted by user, i.e. to gain downstream task capabilities. However, achieving effective attacks while preserving strong multi-task performance remains challenging, as the largely unrelated objectives tend to interfere with each other during optimization. In this paper, we propose JailbreakLoRA, a multi-task jailbreak LoRA training method that balances task utility and attack capability, it resolves training interference by uncertainty-weighting losses and mitigating gradient conflicts. Additionally, JailbreakLoRA is designed to generate an affirmative prefix upon trigger activation, exploiting inference-time hallucinations to enhance the effectiveness of jailbreak. Experimental results demonstrate that our method outperforms SOTA LoRA-based attacks, achieving a 16.0% improvement in attack success rate while also enhancing performance on multi-downstream tasks by 16.5% in average.

Original language	English
Title of host publication	The Fourteenth International Conference on Learning Representations, ICLR 2026
Publisher	International Conference on Learning Representations, ICLR
Pages	1-27
Number of pages	27
Publication status	Published - 26 Jan 2026
Event	14th International Conference on Learning Representations, ICLR 2026 - Rio de Janeiro, Brazil Duration: 23 Apr 2026 → 27 Apr 2026 https://iclr.cc/Conferences/2026 (Conference website) https://openreview.net/group?id=ICLR.cc/2026 (Conference proceedings) https://iclr.cc/virtual/2026/calendar (Conference schedule)

Publication series

Name	International Conference on Learning Representations
Publisher	International Conference on Learning Representations, ICLR

Conference

Conference	14th International Conference on Learning Representations, ICLR 2026
Abbreviated title	ICLR 2026
Country/Territory	Brazil
City	Rio de Janeiro
Period	23/04/26 → 27/04/26
Internet address	https://iclr.cc/Conferences/2026 (Conference website) https://openreview.net/group?id=ICLR.cc/2026 (Conference proceedings) https://iclr.cc/virtual/2026/calendar (Conference schedule)

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 9 Industry, Innovation, and Infrastructure

User-Defined Keywords

Jailbreak
LoRA
Large Language Models

Access to Document

https://openreview.net/pdf?id=4YgvVRoSnF

Cite this

Wei, F., Tang, Z., Zeng, R., Liu, T., Zhang, C., Chu, X., & Han, B. (2026). JailbreakLoRA: Your Downloaded LoRA from Sharing Platforms might be Unsafe. In The Fourteenth International Conference on Learning Representations, ICLR 2026 (pp. 1-27). (International Conference on Learning Representations). International Conference on Learning Representations, ICLR. https://openreview.net/pdf?id=4YgvVRoSnF

@inproceedings{43952b72ba354befa144e971276d453f,

title = "JailbreakLoRA: Your Downloaded LoRA from Sharing Platforms might be Unsafe",

abstract = "Low-Rank Adaptation (LoRA) benefits from its plug-and-play nature, enabling large language models (LLMs) to achieve significant performance gains at low cost, has driven the development of LoRA-sharing platforms. However, the jailbreak and backdoor concerns associated with LoRA-sharing platforms remain underexplored. Existing LoRA-based attacks primarily focus on achieving high attack success rates, while neglecting the core reason why LoRA is adopted by user, i.e. to gain downstream task capabilities. However, achieving effective attacks while preserving strong multi-task performance remains challenging, as the largely unrelated objectives tend to interfere with each other during optimization. In this paper, we propose JailbreakLoRA, a multi-task jailbreak LoRA training method that balances task utility and attack capability, it resolves training interference by uncertainty-weighting losses and mitigating gradient conflicts. Additionally, JailbreakLoRA is designed to generate an affirmative prefix upon trigger activation, exploiting inference-time hallucinations to enhance the effectiveness of jailbreak. Experimental results demonstrate that our method outperforms SOTA LoRA-based attacks, achieving a 16.0\% improvement in attack success rate while also enhancing performance on multi-downstream tasks by 16.5\% in average.",

keywords = "Jailbreak, LoRA, Large Language Models",

author = "Fanjunduo Wei and Zhenheng Tang and Rongfei Zeng and Tongliang Liu and Chengqi Zhang and Xiaowen Chu and Bo Han",

note = "FW and RZ were supported by NSFC under Grant. No. 62572110. FW and BH were supported by NSFC General Program No. 62376235, RGC Young Collaborative Research Grant No. C2005-24Y, and HKBU CSD Departmental Incentive Scheme. ZT and XC were partially supported by National Natural Science Foundation of China under Grant No. 62272122, and Hong Kong CRF grants under Grant No. C7004-22G and C6015-23G. TL was partially supported by the following Australian Research Council projects: FT220100318, DP260102466, DP220102121, LP220100527, LP220200949. ; 14th International Conference on Learning Representations, ICLR 2026, ICLR 2026 ; Conference date: 23-04-2026 Through 27-04-2026",

year = "2026",

month = jan,

day = "26",

language = "English",

series = "International Conference on Learning Representations",

publisher = "International Conference on Learning Representations, ICLR",

pages = "1--27",

booktitle = "The Fourteenth International Conference on Learning Representations, ICLR 2026",

url = "https://iclr.cc/Conferences/2026, https://openreview.net/group?id=ICLR.cc/2026, https://iclr.cc/virtual/2026/calendar",

}

Wei, F, Tang, Z, Zeng, R, Liu, T, Zhang, C, Chu, X & Han, B 2026, JailbreakLoRA: Your Downloaded LoRA from Sharing Platforms might be Unsafe. in The Fourteenth International Conference on Learning Representations, ICLR 2026. International Conference on Learning Representations, International Conference on Learning Representations, ICLR, pp. 1-27, 14th International Conference on Learning Representations, ICLR 2026, Rio de Janeiro, Brazil, 23/04/26. <https://openreview.net/pdf?id=4YgvVRoSnF>

JailbreakLoRA: Your Downloaded LoRA from Sharing Platforms might be Unsafe. / Wei, Fanjunduo (Co-first author); Tang, Zhenheng (Co-first author); Zeng, Rongfei (Co-first author) et al.
The Fourteenth International Conference on Learning Representations, ICLR 2026. International Conference on Learning Representations, ICLR, 2026. p. 1-27 (International Conference on Learning Representations).

Research output: Chapter in book/report/conference proceeding › Conference proceeding › peer-review

TY - GEN

T1 - JailbreakLoRA: Your Downloaded LoRA from Sharing Platforms might be Unsafe

AU - Wei, Fanjunduo

AU - Tang, Zhenheng

AU - Zeng, Rongfei

AU - Liu, Tongliang

AU - Zhang, Chengqi

AU - Chu, Xiaowen

AU - Han, Bo

N1 - FW and RZ were supported by NSFC under Grant. No. 62572110. FW and BH were supported by NSFC General Program No. 62376235, RGC Young Collaborative Research Grant No. C2005-24Y, and HKBU CSD Departmental Incentive Scheme. ZT and XC were partially supported by National Natural Science Foundation of China under Grant No. 62272122, and Hong Kong CRF grants under Grant No. C7004-22G and C6015-23G. TL was partially supported by the following Australian Research Council projects: FT220100318, DP260102466, DP220102121, LP220100527, LP220200949.

PY - 2026/1/26

Y1 - 2026/1/26

N2 - Low-Rank Adaptation (LoRA) benefits from its plug-and-play nature, enabling large language models (LLMs) to achieve significant performance gains at low cost, has driven the development of LoRA-sharing platforms. However, the jailbreak and backdoor concerns associated with LoRA-sharing platforms remain underexplored. Existing LoRA-based attacks primarily focus on achieving high attack success rates, while neglecting the core reason why LoRA is adopted by user, i.e. to gain downstream task capabilities. However, achieving effective attacks while preserving strong multi-task performance remains challenging, as the largely unrelated objectives tend to interfere with each other during optimization. In this paper, we propose JailbreakLoRA, a multi-task jailbreak LoRA training method that balances task utility and attack capability, it resolves training interference by uncertainty-weighting losses and mitigating gradient conflicts. Additionally, JailbreakLoRA is designed to generate an affirmative prefix upon trigger activation, exploiting inference-time hallucinations to enhance the effectiveness of jailbreak. Experimental results demonstrate that our method outperforms SOTA LoRA-based attacks, achieving a 16.0% improvement in attack success rate while also enhancing performance on multi-downstream tasks by 16.5% in average.

AB - Low-Rank Adaptation (LoRA) benefits from its plug-and-play nature, enabling large language models (LLMs) to achieve significant performance gains at low cost, has driven the development of LoRA-sharing platforms. However, the jailbreak and backdoor concerns associated with LoRA-sharing platforms remain underexplored. Existing LoRA-based attacks primarily focus on achieving high attack success rates, while neglecting the core reason why LoRA is adopted by user, i.e. to gain downstream task capabilities. However, achieving effective attacks while preserving strong multi-task performance remains challenging, as the largely unrelated objectives tend to interfere with each other during optimization. In this paper, we propose JailbreakLoRA, a multi-task jailbreak LoRA training method that balances task utility and attack capability, it resolves training interference by uncertainty-weighting losses and mitigating gradient conflicts. Additionally, JailbreakLoRA is designed to generate an affirmative prefix upon trigger activation, exploiting inference-time hallucinations to enhance the effectiveness of jailbreak. Experimental results demonstrate that our method outperforms SOTA LoRA-based attacks, achieving a 16.0% improvement in attack success rate while also enhancing performance on multi-downstream tasks by 16.5% in average.

KW - Jailbreak

KW - LoRA

KW - Large Language Models

UR - https://openreview.net/forum?id=4YgvVRoSnF

M3 - Conference proceeding

T3 - International Conference on Learning Representations

SP - 1

EP - 27

BT - The Fourteenth International Conference on Learning Representations, ICLR 2026

PB - International Conference on Learning Representations, ICLR

T2 - 14th International Conference on Learning Representations, ICLR 2026

Y2 - 23 April 2026 through 27 April 2026

ER -

JailbreakLoRA: Your Downloaded LoRA from Sharing Platforms might be Unsafe

Abstract

Publication series

Conference

UN SDGs

User-Defined Keywords

Access to Document

Other files and links

Fingerprint

Cite this