Long-context jailbreaks: how goal positioning weakens LLM safety
A CMU study shows that padding a harmful request with benign filler and placing the goal early in a long context reliably degrades refusals across LLaMA, Qwen, Mistral, and Gemini.
What is this?
A research team from Carnegie Mellon University — Rishi Rajesh Shah, Chen Henry Wu, Shashwat Saxena, Ziqian Zhong, Alexander Robey, and Aditi Raghunathan — published a paper titled Jailbreaking in the Haystack (arXiv, first submitted 5 November 2025). It introduces a technique the authors call NINJA (needle-in-haystack jailbreak attack) and makes a simple, uncomfortable point: the million-token context windows that now power document analysis and computer-use agents also open a safety gap that shorter contexts did not have.
The finding matters in 2026 precisely because long context has become the default. Models routinely ingest entire codebases, long transcripts, and multi-document bundles, and the same length that makes them useful is what the study turns against them. This is an analysis of a published, peer-reviewed-track result, framed defensively. We describe the mechanism at a conceptual level and do not reproduce a working jailbreak string.
How it works
NINJA does not rely on an adversarial suffix, an obfuscated payload, or a cleverly worded persona. It takes a harmful goal and surrounds it with a large volume of benign, on-topic, model-generated filler — the “haystack” — so the request sits inside a long, innocuous-looking context. Two observations make it effective.
The first is positional. The authors report that where the harmful goal sits in the context strongly affects whether the model refuses. Placing the goal early yields the highest attack success rate, apparently because the model attends heavily to early tokens and has little opportunity for a safety check to override generation once it is underway. Pushing the same goal to the end of a long context reduces success, suggesting the model deprioritizes late-appearing instructions relative to the earlier material it has already committed to.
The second is economic. Under a fixed compute budget, the paper finds NINJA to be compute-optimal: spending tokens on a longer benign context can beat spending the same budget on more attempts in a best-of-N approach. Because the filler is benign and model-generated rather than adversarial gibberish, the method is also described as low-resource, transferable across models, and harder to catch with detectors tuned for suspicious strings. In evaluations on the HarmBench safety benchmark, the technique raised attack success rates across LLaMA, Qwen, Mistral, and Gemini — open and proprietary alike.
Why it matters
The uncomfortable implication is that the vulnerability is structural, not a wording trick. It arises from how alignment interacts with long sequences: safety behavior learned and evaluated mostly on short prompts does not necessarily hold when the harmful intent is a small needle inside a large, benign haystack. This is the long-context cousin of a pattern we have covered before — that safety often lives in a shallow, early portion of the response and can be diluted, as in chain-of-thought hijacking that thins out refusals and many-shot jailbreaking that overwhelms alignment with in-context volume.
The risk surface is largest exactly where long context is most valuable: computer-use and document-processing agents that pull in untrusted material. An agent asked to summarize or act on a long attachment is, in effect, being handed a haystack chosen by whoever supplied the document. It also rhymes with the broader lesson that safety alignment needs to run deeper than the first few tokens rather than being concentrated at the start of a generation.
Defenses
The practical takeaway is that prompt-level filtering is not enough on its own, because the trigger content is benign by construction. Defenders should treat long, externally supplied contexts as elevated risk and apply safety evaluation across the whole window rather than only at the opening tokens — chunked or sliding-window moderation that re-checks intent regardless of where a goal appears, and output-side classifiers that judge the completion rather than trusting the input to look clean. Position-invariant safety, where refusal behavior does not depend on where a request lands, is the property to test for directly; red-team suites should include long-context and goal-positioning cases, not just short adversarial prompts.
The deeper mitigation is architectural, and it is the same conclusion independent 2026 red-team analyses have reached: assume some jailbreaks will land and constrain what a jailbroken model can actually do. Least privilege on tools, sandboxing, human-in-the-loop gates on consequential actions, and output gating limit blast radius whether or not the refusal held. That containment posture — narrowing capability rather than betting everything on the model saying no — is what keeps a positioning trick inside a long document from turning into a real-world action.
Status
| Item | Detail |
|---|---|
| Publication | Jailbreaking in the Haystack, arXiv 2511.04707, submitted 2025-11-05 |
| Authors | Shah, Wu, Saxena, Zhong, Robey, Raghunathan (Carnegie Mellon University) |
| Method | Benign long-context padding (NINJA) with early goal positioning; no adversarial suffix |
| Evidence | Elevated attack success on HarmBench across LLaMA, Qwen, Mistral, Gemini; compute-optimal vs best-of-N |
| Fix status | No single patch; mitigation is context-wide safety evaluation, output gating, and least-privilege agent design |
| Nature | Educational analysis of published research; no jailbreak payload reproduced |
This article summarizes academic research as of 2026-07-15. Model behavior on long contexts changes across versions and providers; treat the positional findings as a class of weakness to test for rather than a fixed property of any one model.