IMA Attack — Collaborative-Adversarial Jailbreak Hits 89% Against Multi-Agent Systems

  • A new paper in Neural Networks introduces the IMA (Iterative Multi-Agent Adversarial) attack — a propagation-aware jailbreak framework designed specifically for multi-agent code generation systems.
  • The attack achieves 89% success rate against MetaGPT, CrewAI, and similar frameworks, significantly outperforming single-agent jailbreak baselines.
  • The core finding: multi-agent collaboration amplifies harm. When agents collaborate, adversarial instructions propagate and reinforce across agent boundaries, making the system more vulnerable than any individual agent.
  • IMA exploits the inter-agent communication channels that are central to frameworks like MetaGPT — the same message-passing that enables productive collaboration also distributes adversarial payloads.
  • Unlike traditional jailbreaks that target a single model's safety training, IMA treats the multi-agent architecture itself as the attack surface, using the collaboration protocol as a force multiplier.
  • The paper introduces a propagation-aware optimization: the attack crafts prompts that are designed not just to bypass one agent's guardrails, but to survive and amplify as they pass through the agent communication graph.
  • Defense implications are significant: simply applying per-agent safety training is insufficient. The collaboration layer itself needs guardrails — message validation, inter-agent trust boundaries, and anomaly detection on cross-agent instruction patterns.
  • This research was highlighted in Adversa AI's July 2026 agentic security roundup as one of the most concerning new attack vectors for production multi-agent deployments.

Why It Matters

Multi-agent architectures are becoming the default pattern for complex AI workflows — code generation, research pipelines, enterprise automation. This paper demonstrates that the collaboration dynamics that make these systems powerful also create a fundamentally new attack surface. An 89% jailbreak rate against production frameworks is not a theoretical concern; it's a deployment blocker for anyone running multi-agent systems without inter-agent trust boundaries.

What To Do

  • If you operate multi-agent systems, audit your inter-agent communication channels for adversarial payload propagation.
  • Implement message validation between agents — treat cross-agent instructions as untrusted input, not privileged commands.
  • Monitor for anomalous collaboration patterns: agents that suddenly change behavior after receiving inter-agent messages should trigger alerts.
  • Review the paper's propagation model to understand which of your agent topologies are most vulnerable to cascade attacks.

Sources