Image prompt reconstruction: rebuilding private images from distributed MLLM embeddings
A June 2026 paper shows a passive participant in a distributed multimodal-LLM pipeline can rebuild the user's input image from the intermediate embeddings it relays. Black-box, no model weights needed.
What is this?
Image Prompt Reconstruction Attacks on Distributed MLLM Inference Frameworks (arXiv:2606.18710, [cs.CR], published June 17, 2026, by researchers at Shanghai Jiao Tong University and MBZUAI) studies a privacy leak specific to distributed inference of multimodal large language models. Distributed frameworks such as Petals and Cake — and platforms like Together.ai, Prime Intellect, and Modal — split a model across several consumer-grade machines: each participant holds a slice of the layers and passes intermediate embeddings to the next participant. The paper’s finding is that any participant in that chain can reconstruct the input image a user submitted, purely from the embeddings it relays.
The work is the first to demonstrate image reconstruction against MLLMs. Earlier research had already shown that text prompts leak from the embeddings exchanged in distributed text-LLM inference; this paper extends the threat to the visual modality, where an image carries far more personal detail than a short text prompt.
How it works
The threat model is deliberately weak, which is what makes it notable. The attacker is a normal, honest-but-curious participant in the pipeline. The attack is black-box (no access to model weights or architecture) and passive (it never tampers with the computation — it only observes the embeddings it legitimately receives). No special privilege is required beyond being one of the machines in the distributed run.
The attack has two stages. First, an image-embedding extraction step separates image tokens from text tokens inside the intertwined intermediate representation. MLLMs wrap visual tokens between stable special tokens (for example <start_of_image> / <end_of_image>), and the attacker locates those anchors to isolate the image embeddings. In the paper’s experiments this step reaches near-100% extraction accuracy across most layers.
From the extracted embeddings, the paper builds two complementary reconstructions:
- MPAA (Multi-resolution Patch Assembly Attack) — a pixel-level reconstruction. Because MLLMs cut images into fixed-size patches, each embedding mostly carries one patch’s information; MPAA recovers per-patch pixels and assembles them, fusing a high- and low-resolution draft for detail and structure. It works best on the early layers, where visual detail is still intact.
- IEDA (Image Embedding-guided Diffusion Attack) — a semantic-level reconstruction. It projects the embeddings into a semantic space and uses them to steer a diffusion model. IEDA is more robust when deeper layers have merged or pooled patches and fine detail is gone, recovering the scene’s content even when exact pixels cannot be.
The authors evaluate on Gemma 3, Phi 4 Multimodal, Qwen 2.5 VL, and Llama 4 Scout, across datasets including CelebA (faces), COCO Caption, and CC3M. MPAA gives high-fidelity pixel reconstruction on front layers; IEDA gives consistent semantic reconstruction across all layers and all four models.
Why it matters
Distributed inference is sold as a way to run big models cheaply by pooling untrusted machines — but pooling untrusted machines is exactly the risk. The embeddings passed between participants are not opaque. They are a recoverable encoding of the user’s input, and for images that input may be a face, a document, a medical scan, or a screenshot. A participant that contributes GPU time to a Petals-style swarm is, under this work, positioned to harvest everyone’s input images without ever breaking the protocol.
The deeper lesson generalises beyond this one paper: an intermediate activation is sensitive data, not a safe intermediate form. This is the multimodal echo of split-learning inversion and text prompt-inversion attacks. Anywhere a model is cut across a trust boundary and raw hidden states cross the wire, the party on the other side can often invert them back toward the input.
Defenses
Treat the pipeline boundary as a data-exfiltration boundary. If participants are not mutually trusted, assume any embedding you transmit can be inverted to the input. Keep the most input-revealing early layers — the image encoder and first decoder layers — on trusted, first-party hardware, and only distribute deeper layers where reconstruction is harder.
Don’t ship raw hidden states. Research on the text counterpart (arXiv:2606.11592, June 2026) explores information-theoretic, privacy-preserving representations that retain task utility while stripping invertible detail. Learned obfuscation, bottlenecking, or calibrated noise on transmitted activations raise the cost of reconstruction — at a measurable utility trade-off that should be tested, not assumed.
Protect the channel and the participants. Encrypt embeddings in transit, and gate who can join an inference swarm; an open, permissionless pool of relays is the worst case for this attack. For high-sensitivity workloads, run inference inside a trusted execution environment or keep it on single-tenant infrastructure rather than a shared distributed framework.
Minimise what the model sees. The leak is of the input image. Redact or crop personal regions before submission where the task allows, and avoid sending faces, identity documents, or medical images through multi-party inference at all.
Status
| Item | Detail |
|---|---|
| Source | arXiv:2606.18710 [cs.CR], June 17, 2026 |
| Class | Passive, black-box image-prompt reconstruction (privacy / data leak) |
| Setting | Distributed MLLM inference (Petals / Cake-style layer splitting) |
| Attacker | Honest-but-curious participant relaying intermediate embeddings |
| Methods | Embedding extraction (~100% acc.) → MPAA (pixel) + IEDA (semantic) |
| Tested on | Gemma 3, Phi 4 Multimodal, Qwen 2.5 VL, Llama 4 Scout |
| Status | Research disclosure; no specific product CVE; defense is design-level |