English

Cross-Lingual Jailbreak Detection via Semantic Codebooks

Computation and Language 2026-04-29 v1 Artificial Intelligence

Abstract

Safety mechanisms for large language models (LLMs) remain predominantly English-centric, creating systematic vulnerabilities in multilingual deployment. Prior work shows that translating malicious prompts into other languages can substantially increase jailbreak success rates, exposing a structural cross-lingual security gap. We investigate whether such attacks can be mitigated through language-agnostic semantic similarity without retraining or language-specific adaptation. Our approach compares multilingual query embeddings against a fixed English codebook of jailbreak prompts, operating as a training-free external guardrail for black-box LLMs. We conduct a systematic evaluation across four languages, two translation pipelines, four safety benchmarks, three embedding models, and three target LLMs (Qwen, Llama, GPT-3.5). Our results reveal two distinct regimes of cross-lingual transfer. On curated benchmarks containing canonical jailbreak templates, semantic similarity generalizes reliably across languages, achieving near-perfect separability (AUC up to 0.99) and substantial reductions in absolute attack success rates under strict low-false-positive constraints. However, under distribution shift - on behaviorally diverse and heterogeneous unsafe benchmarks - separability degrades markedly (AUC \approx 0.60-0.70), and recall in the security-critical low-FPR regime drops across all embedding models.

Keywords

Cite

@article{arxiv.2604.25716,
  title  = {Cross-Lingual Jailbreak Detection via Semantic Codebooks},
  author = {Shirin Alanova and Bogdan Minko and Sabrina Sadiekh and Evgeniy Kokuykin},
  journal= {arXiv preprint arXiv:2604.25716},
  year   = {2026}
}
R2 v1 2026-07-01T12:39:23.725Z