system: OPERATIONAL
← back to all hacks
PROMPT INJECTION MEDIUM NEW

The multilingual safety gap in LLM prompt injection defenses

A June 2026 study shows non-English prompts and light character encodings slip past LLM safety alignment far more often than English — the same attack, translated, gets more compliance.

2026-07-10 // 6 min affects: deepseek, gpt, gemini, grok, llama, qwen

What is this?

Most safety evaluation is done in English, and most guardrail tuning follows. A preprint released in late June 2026 puts a number on the cost of that habit. The authors ran a systematic empirical evaluation of prompt injection against six widely deployed model families — DeepSeek, GPT, Gemini, Grok, Llama and Qwen — across multiple languages and several light character encodings, and measured how often each model complied with adversarial instructions rather than refusing.

The headline finding is uncomfortable and consistent: non-English inputs produced higher malicious-compliance rates than the same requests in English across every model tested. A refusal that holds firmly in English weakens when the identical instruction is translated. The work echoes earlier multilingual results — including a 2026 Scientific Reports analysis of Indian-language models — and an October 2024 systematic study that first flagged how unevenly injection defenses generalize across languages. What is new here is the breadth: six current frontier families, measured together, on the same battery.

How it works

There is no exploit to reproduce, and this article deliberately contains none. The mechanism is a coverage gap, not a clever trick.

Safety alignment is learned behavior. The refusal boundary a model exhibits is only as good as the distribution of examples it was aligned on — and that distribution is overwhelmingly English. When an instruction arrives in a lower-resource language, or wrapped in a simple encoding, it lands slightly outside the region of input space where the model’s refusal reflexes were most heavily reinforced.

English request   ── falls inside dense refusal-training region ──▶ refused
Same request, in  ── falls near the edge of that region        ──▶ complied
a non-English lang    (safety signal weaker, task signal intact)

Two properties of the gap matter for defenders. First, task competence transfers better than safety competence. The model still understands the translated instruction well enough to act on it; only the guardrail lags. Second, the study reports that light character encodings reduce malicious output but do not eliminate it — so treating a single normalization step as a fix is a mistake. The paper also notes that the more elaborate, multi-stage phrasings raised compliance further, and that DeepSeek, Gemini and Grok were especially susceptible under complex instructions. The important lesson is not which model scored worst on one battery — rankings shift with every release — but that the gap is structural and shows up everywhere.

Why it matters

If your application accepts input in more than one language — a support bot, a RAG assistant over multilingual documents, an agent that reads web pages or email — then your effective safety posture is set by your weakest language, not your English test suite. An attacker who finds English refusals solid will simply switch locale. Retrieval-augmented and agentic systems make this worse, because the untrusted text a model ingests (a fetched page, a pasted document, a tool result) can be in any language the attacker chooses, regardless of the UI language.

This is a governance point as much as a technical one. Teams that certify a deployment as “safe” on the basis of English red-teaming are certifying a fraction of their real attack surface. The OWASP LLM Top 10 treats prompt injection (LLM01) as the primary risk class; the multilingual dimension is a coverage requirement hiding inside it.

Defenses

You cannot close an alignment gap you do not measure, so start there.

Red-team in every language you accept. Translate your English adversarial test set into each supported language and run it as a gate. Track refusal rates per language and treat a drop below your English baseline as a release blocker, not a footnote.

Do not rely on input normalization alone. Decoding and normalizing obfuscated input helps at the margin but, per the study, does not prevent malicious output. Use it as one layer, never the layer.

Filter output, not just input. An independent output-side classifier — ideally one that itself performs well multilingually — catches compliance that slipped past the input guardrail. Output filtering is language-agnostic in a way input intent detection is not.

Enforce the lethal-trifecta boundary architecturally. For agents and RAG, the durable mitigation is not better refusal — it is removing the capability an injection would abuse. Keep untrusted content, private data and exfiltration channels from coexisting in one context, and require human confirmation for consequential actions. A model that cannot exfiltrate cannot be talked into exfiltrating, in any language.

Prefer least-privilege over persuasion resistance. Scope tools, tokens and data access so that a successful injection reaches as little as possible. Assume the guardrail will eventually fail in some locale, and make that failure cheap.

Status

ItemDetail
Primary sourceEmpirical evaluation, arXiv preprint, late June 2026
Models evaluatedDeepSeek, GPT, Gemini, Grok, Llama, Qwen (families)
Key resultNon-English compliance consistently higher than English; light encodings reduce but do not stop malicious output
CorroborationMultilingual analysis (Scientific Reports, 2026); systematic cross-language study (arXiv, Oct 2024)
Fix statusNo patch — this is an alignment-coverage gap; mitigations are architectural and evaluative

This article summarizes publicly available research for defensive purposes and contains no operational attack instructions.

Sources