DeepKeep Exposes “InkJect,” a New Visual Prompt Injection Vulnerability that Bypasses Guardrails in Leading AI Models
TEL AVIV, Israel, July 1, 2026 - DeepKeep, the end-to-end AI security platform, today unveiled a new class of visual prompt injection vulnerability, dubbed 'InkJect,' affecting leading visual language models including OpenAI's GPT-5.2, GPT-5.4 Mini, and Anthropic's Claude Sonnet 4.6, Opus 4.5. The attack allows malicious actors to embed hidden instructions inside images that VLMs process during regular operation, causing models to execute unauthorized actions without any indication to the user.
40% of all generative AI solutions are predicted to be multimodal by 2027. While major AI providers have deployed guardrails that detect conventional text-based prompt injection, DeepKeep's research demonstrates these protections do not extend to the visual processing layer, creating an exploitable blind spot. The InkJect vulnerability relies on indirect prompt injection, embedding malicious instructions within an image using near-invisible formatting techniques that bypass security scanning while remaining legible to the VLM.
In one test, a developer asked a VLM to add a basic information page to a website. The hidden instructions caused the model to silently insert a member login system with administrator credentials, giving an attacker full back-end access.
"AI's visual processing layer has been largely overlooked and less understood, and that is precisely what makes it valuable to malicious attackers," said Yossi Altevet, CTO and Co-Founder at DeepKeep. "We were able to manipulate models that would explicitly flag and refuse a text-based attack, simply by placing the instruction within an image."
The vulnerability was disclosed to both OpenAI and Anthropic.