The 6th Workshop of Adversarial Machine Learning on Computer Vision: Safety of Vision-Language Agents


The IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2026), Wed June 3 - Sun June 7, 2026, Denver, CO, USA.

AdvML Workshop: June 4, Room 708



Overview

Over the past few years, foundation models have fundamentally transformed the landscape of computer vision, enabling large-scale visual understanding, generation, and multimodal reasoning. Building upon these advances, vision-language agents, embodied or digital systems powered by multimodal foundation models, are rapidly emerging as a central paradigm for intelligent perception, decision-making, and human-AI interaction. These agents integrate perception (vision), cognition (language and reasoning), and action (planning and control) within a unified framework, thereby bridging the gap between visual recognition and autonomous behavior. However, the growing autonomy and complexity of such agents have also amplified their susceptibility to adversarial and safety-critical risks. Beyond traditional pixel-level perturbations, new attack surfaces arise from adversarial prompts, instruction injections, and jailbreak manipulations, which can disrupt reasoning chains, mislead perception, or induce harmful actions. These vulnerabilities highlight fundamental challenges in building safe, robust, and trustworthy vision-language agents for real-world applications, from autonomous driving and embodied robotics to interactive medical or industrial systems. Addressing these challenges demands a deeper understanding of multimodal robustness, causal reasoning, and secure perception-action coupling in complex environments.

The 6th Workshop on Adversarial Machine Learning in Computer Vision (6th AdvML@CV): Safety of Vision-Language Agents aims to bring together researchers and practitioners from computer vision, multimodal learning, and AI safety communities to advance the frontier of robust and trustworthy vision-language agents. Continuing the success of the previous five CVPR AdvML@CV workshops, which have attracted thousands of submissions, participants, and widespread attention, the 2026 edition will feature keynote talks by leading experts, contributed papers, and an international challenge on adversarial robustness for multimodal agents.

Through this workshop, we aim to foster cross-disciplinary collaboration, inspire new research directions, and catalyze the development of secure, reliable, and ethically aligned vision-language agents that can safely operate in dynamic and human-centered environments.

New: Poster Presentation Location: Board #248 - #255 in Exhibit Hall A, 15:00 - 18:00.
New: The Phase 2 dataset of Challenge is now available.
New: Phase 2 of the challenge has begun.
Important: The submission deadline has been extended to Mar. 7, 2026 (23:59, UTC±0).

Important Dates

Timeline

Workshop Schedule (Google Callendar)
Event Start time End time
Opening Remarks 9:00 9:15
Invited Talk #1: Prof. Bo Li 9:15 9:45
Invited Talk #2: Prof. Chaowei Xiao 9:45 10:15
Contributed Talk #1 10:15 10:30
Coffee Break 10:30 10:45
Invited Talk #3: Prof. Aditi Raghunathan 10:45 11:15
Invited talk #4: Prof. Florian Tramèr 11:15 11:45
Contributed Talk #2 11:45 12:00
Lunch (12:00-13:30)
Invited Talk #5: Dr. Nouha Dziri 13:30 14:00
Invited Talk #6: Dr. Jingwei Yi 14:00 14:30
Invited Talk #7: Prof. Ziwei Liu 14:30 15:00
Contributed Talk #3 15:00 15:10
Challenge Session 15:10 15:40
Poster Session 15:00 17:00

Proposed Speakers
Ziwei
Liu

Nanyang Technological
University

Chaowei
Xiao

Johns Hopkins University


Nouha
Dziri

Cohere Labs


Florian
Tramèr

ETH Zürich



Jingwei
Yi

BAAI

Aditi
Raghunathan

Carnegie Mellon University

Bo
Li

University of Illinois
at Urbana-Champaign


Aishan
Liu

Beihang University

Organizers
Jin
Hu

Zhongguancun
Laboratory
Tianyuan
Zhang

Beihang
University
Aishan
Liu

Beihang
University
Jiakai
Wang

Zhongguancun
Laboratory
Ruikai
Li

Beihang
University
Julia
Karbing

University of Oxford
Yinpeng
Dong

Tsinghua
University
Zhenfei
Yin

University of Oxford
Shao
Jing

Shanghai AI Laboratory
Xia
Hu

Shanghai AI Laboratory
Jingyi
Xu

Beihang University
Juntao
Dai

BAAI
Xinyun
Chen

Meta
Xianglong
Liu

Beihang
University
Vishal M.
Patel

Johns Hopkins University
Dawn
Song

UC Berkeley
Alan
Yuille

Johns Hopkins
University
Philip
H.S. Torr

Oxford
University
Dacheng
Tao

Nanyang Technological
University

Call for Papers

Vision-language agents, embodied or digital systems powered by multimodal foundation models, are rapidly emerging as a central paradigm for intelligent perception, decision-making, and human-AI interaction. These agents integrate perception (vision), cognition (language and reasoning), and action (planning and control) within a unified framework, thereby bridging the gap between visual recognition and autonomous behavior. However, beyond traditional pixel-level perturbations, new attack surfaces arise from adversarial prompts, instruction injections, and jailbreak manipulations, which can disrupt reasoning chains, mislead perception, or induce harmful actions. To foster the development of safe, robust, and trustworthy vision-language agents for real-world applications, we invite submissions on both theoretical and practical aspects of adversarial machine learning, with a specific focus on the safety of vision-language agents. We welcome research contributions related to the following (but not limited to) topics:
  • Attack and defense on vision-language agents
  • Datasets and benchmarks that could evaluate vision-language agents
  • Adversarial / Jailbreak attacks on vision-language agents
  • Improving the robustness of agents or deep learning systems
  • Interpreting and understanding model robustness, especially agentic AI
  • Adversarial attacks for social good
  • Alignment of vision-language agents
Format: Submissions papers (.pdf format) must use the CVPR 2026 Author Kit for LaTeX/Word Zip file and be anonymized and follow CVPR 2026 author instructions. The workshop considers two types of submissions: (1) Long Paper: Papers are limited to 8 pages excluding references; (2) Extended Abstract: Papers are limited to 4 pages including references. Accepted papers have the option to be included in the CVF and IEEE Xplore Proceedings.

Submission Site: https://openreview.net/group?id=thecvf.com/CVPR/2026/Workshop/Advml
Submission Due (both Paper and Supplementary Material): March 7, 2026, 11:59 PM (UTC±0)


Accepted Papers

Title Paper Supplementary Authors
ARMs: Adaptive Red-Teaming Agent against Multimodal Models with Plug-and-Play Attacks
★ Distinguished paper (Contribute Talk #1)
 [PDF] Zhaorun Chen, Xun Liu, Mintong Kang, Jiawei Zhang, Minzhou Pan, Shuang Yang, Bo Li
MirrorCheck: Efficient Adversarial Defense for Vision-Language Models
★ Distinguished paper (Contribute Talk #2)
 [PDF] [Supplementary] Samar Fares, Toluwani Aremu, Klea Ziu, Nikita Durasov, Martin Takáč, Pascal Fua, Karthik Nandakumar, Ivan Laptev
SkillJect: Automating Stealthy Skill-Based Prompt Injection for Coding Agents with Trace-Driven Closed-Loop Refinement
★ Distinguished paper (Contribute Talk #3)
 [PDF] [Supplementary] Xiaojun Jia, Jie Liao, Simeng Qin, Jindong Gu, Wenqi Ren, Xiaochun Cao, Yang Liu, Philip Torr
SafeGRPO: Self-Rewarded Multimodal Safety Alignment via Rule-Governed Policy Optimization [PDF] [Supplementary] Xuankun Rong, Wenke Huang, Tingfeng Wang, Daiguo Zhou, Bo Du, Mang Ye
Robustness of Vision Foundation Models to Common Perturbations [PDF] [Supplementary] Hongbin Liu, Zhengyuan Jiang, Cheng Hong, Neil Zhenqiang Gong
SASA: Sequence-Aware Shadow Attacks via Attention Alignment for Traffic Sign Recognition [PDF] Amir Salarpour, Pedram MohajerAnsari, David Fernandez, Mert D. Pesé
Interpretable Adversarial Prompt Tuning via Semantic Concepts [PDF] Pedram MohajerAnsari, Zongxi Liu, Yi Zhu, Amir Salarpour, Mert D. Pesé
Auditing Traffic-Sign Robustness via DDIM Inversion: Do Diffusion Latents Preserve Shadow Attacks? [PDF] Ashton B. McEntarffer, Amir Salarpour, Pedram MohajerAnsari, Mert D. Pesé
Evaluating Vulnerabilities in Vision-Language Models: Impact of Behavior-Induced Interference [PDF] Yuwei Chen, Shiyong Chu
ATAC: Augmentation-Based Test-Time Adversarial Correction for CLIP [PDF] [Supplementary] Linxiang Su, András Balogh

Challenge

With the rapid development of multimodal foundation models and vision-language agents (VLAs), their safety and security risks have become important concerns for both academia and industry. In safety-critical domains such as autonomous driving, VLAs are expected to understand complex driving scenes and generate reliable responses for driving-related reasoning and decision-making. Ensuring their robustness and safety is therefore essential.

To systematically explore the potential threats inherent in these systems and strengthen their practical safety, we are initiating this security challenge focused on adversarial multimodal attacks against VLAs. This initiative seeks to engage global developers, researchers, and security experts in designing and submitting adversarial inputs that reveal vulnerabilities in VLAs, particularly in autonomous driving scenarios based on DriveLM (https://github.com/OpenDriveLab/DriveLM). Participants are encouraged to design adversarial attacks that could induce unsafe, harmful, or misleading outputs, including but not limited to incorrect traffic understanding, unsafe driving-related reasoning, and misleading responses to driving questions. Through this collaborative effort, we aim to promote the development of comprehensive vulnerability evaluation frameworks, advance defensive paradigm innovation, and shape more secure development standards for next-generation VLAs. By proactively identifying and addressing these risks, this challenge contributes to building safer, more trustworthy AI systems capable of meeting the ethical and functional demands of their increasingly critical roles in society.

Challenge Site: https://challenge.aisafety.org.cn/#/competitionDetail?id=24

Timeline (Delayed)

Challenge Timeline
Mar 19, 2026 Competition starts
Mar 24, 2026 Phase 1 Data Release
Mar 27, 2026 Phase 1 starts
April 20, 2026 Phase 1 ends
April 27, 2026 Phase 2 Data Release
April 27, 2026 Phase 2 starts
May 16, 2026 Phase 2 ends
May 30, 2026 Results will be released and participants will be selected to present
June 2026 Awards and presentation

Challenge Chair
Tianyuan
Zhang

Beihang
University
Jin
Hu

Zhongguancun
Laboratory
Zonglei
Jing

Beihang
University
Jiangfan
Liu

Beihang
University
Hainan
Li

Data Space
Research Institute
Zhilei
Zhu

Data Space
Research Institute
Xianglong
Kong

Data Space
Research Institute
Zonghao
Ying

Beihang
University
Yisong
Xiao

Beihang
University
Lei
Chen

Tsinghua
University
Haotong
Qin

ETH
Zürich
Jiakai
Wang

Zhongguancun
Laboratory
Xianglong
Liu

Beihang
University

Sponsors

logo-img
logo-img
logo-img
logo-img


logo-img
logo-img

Program Committee

  • Akshayvarun Subramanya (UMBC)
  • Alexander Robey (UPenn)
  • Ali Shahin Shamsabadi (QMUL)
  • Angtian Wang (JHU)
  • Aniruddha Saha (UMBC)
  • Anshuman Suri (UVA)
  • Bernhard Egger (MIT)
  • Chenglin Yang (JHU)
  • Chirag Agarwal (Harvard)
  • Gaurang Sriramanan (IISc)
  • Jiachen Sun (MSU)
  • Jieru Mei (JHU)
  • Jun Guo (BUAA)
  • Ju He (JHU)
  • Kibok Lee (MSU)
  • Lifeng Huang (SYSU)
  • Maura Pintor (University of Cagliari)
  • Muhammad Awais (QMUL and BetterData)
  • Muzammal Naseer (ANU)
  • Nataniel Ruiz (BU)
  • Qihang Yu (JHU)
  • Qing Jin (NEU)
  • Rajkumar Theagarajan (UCR)
  • Ruihao Gong (BUAA)
  • Shiyu Tang (BUAA)
  • Shunchang liu (ETHZ)
  • Sravanti Addepalli (IISc)
  • Tianlin Li (NTU)
  • Wenxiao Wang (THU)
  • Hang Yu (BUAA)
  • Won Park (MSU)
  • Xiangning Chen (UCLA)
  • Xiaohui Zeng (U of T)
  • Xingjun Ma (DKU)
  • Xinwei Zhao (DU)
  • Yulong Cao (MSU)
  • Yutong Bai (JHU)
  • Zihao Xiao (JHU)
  • Zixin Yin (BUAA)
  • Siyang Wu (ZGCLab)
  • Haojie Hao (BUAA)
  • Zhengquan Sun (BUAA)