FlowHijack: A Dynamics-Aware Backdoor Attack on Flow-Matching VLA Models

Conference: CVPR 2026 arXiv: 2604.09651 Code: None Area: Multimodal VLM Keywords: backdoor attack, VLA model, flow matching, robot safety, vector field hijacking

TL;DR

FlowHijack is the first systematic backdoor attack framework targeting the vector field dynamics of flow-matching VLA models. It achieves high attack success rates and behavioral stealthiness via a τ-conditional injection strategy and a dynamic imitation regularizer.

Background & Motivation

Background: VLA models are emerging as the backbone of general-purpose robotics. Flow-matching VLAs (e.g., π₀) have attracted significant attention for their ability to generate smooth, continuous action trajectories, yet their security vulnerabilities remain largely unexplored.

Limitations of Prior Work: Existing backdoor attacks (e.g., BadVLA) are designed for discrete-tokenized VLAs; their label-flipping and token-substitution mechanisms cannot be directly transferred to continuous vector field dynamics. Existing triggers (e.g., pixel patches) are overly conspicuous in physical environments. Prior attacks also produce kinematically unnatural actions that are susceptible to detection.

Key Challenge: Action generation in flow-matching VLAs is driven by an ODE solver that produces continuous trajectories, presenting an attack surface fundamentally different from that of discrete-token models.

Goal: (1) Expose the vector field dynamics of flow-matching VLAs as a novel attack surface; (2) design stealthy, context-aware triggers; (3) ensure that malicious actions are kinematically indistinguishable from benign ones.

Key Insight: Exploit the characteristic over-sampling of flow-matching VLAs at low-τ stages by injecting malicious vector fields only during the initial phase of action generation.

Core Idea: Injecting a directional bias into the vector field at low-τ intervals causes the ODE solver to amplify the initial error across the entire trajectory.

Method

Overall Architecture

FlowHijack comprises three components: (1) a context-aware trigger (object state / scene semantics); (2) a vector field hijacking loss (τ-conditional injection); and (3) a dynamic imitation regularizer (ensuring kinematic stealthiness). The total loss is \(\mathcal{L}_{total} = (1-\alpha-\beta)\mathcal{L}_{FM} + \alpha\mathcal{L}_{BD} + \beta\mathcal{L}_{mimic}\).

Key Designs

1. τ-Conditional Injection Strategy:

   • Function: Precisely inject malicious dynamics during the initial phase of action generation.
   • Mechanism: The vector field hijacking loss is applied exclusively within \(\tau \in [0, \tau_0]\): \(\mathcal{L}_{BD} = \mathbb{E}\|v_\theta(A^\tau, o^+, \tau) - u(A^\tau|A^*)\|_2^2\). The path-amplification property of the ODE solver causes small deviations at the initial stage to accumulate and amplify over the entire trajectory.
   • Design Motivation: Models such as π₀ use a Beta distribution to over-sample low-τ values (emphasizing the initial coarse direction), which maximizes the impact of early-stage injection. Perturbing only the low-τ interval makes the backdoor extremely difficult to detect via static analysis.

2. Context-Aware Trigger:

   • Function: Maintain semantic plausibility and stealthiness in physical environments.
   • Mechanism: Two categories of triggers are employed—object-state triggers (e.g., an inverted cup or an open drawer in a kitchen scene) and scene-semantic triggers (e.g., a plant in the background or a person wearing a watch). Triggers are activated via a predicate \(P_{state}(o_t)\).
   • Design Motivation: Simple visual artifacts (e.g., pixel patches) are too conspicuous in physical environments. Context-aware triggers blend with environmental semantics and are difficult for humans to perceive.

3. Dynamic Imitation Regularizer:

   • Function: Ensure that malicious actions are kinematically indistinguishable from benign actions.
   • Mechanism: \(\mathcal{L}_{mimic} = \mathbb{E}_\tau |\|v_\theta(A^\tau, o^+)\|_2 - \|v_\theta(A^\tau, o)\|_2^{sg}|\) enforces the L2 norm (i.e., velocity profile) of the malicious vector field to match that of the benign vector field. \(sg\) denotes stop-gradient.
   • Design Motivation: Altering the direction of the vector field while preserving its physical magnitude keeps the velocity characteristics of robot motion normal, thereby circumventing detection methods based on kinematic anomalies.

Loss & Training

White-box fine-tuning poisoning scenario. A small poisoned dataset \(D_{poison}\) is injected into a pre-trained model. Hyperparameters \(\tau_0=0.4, \alpha=0.05, \beta=0.05\) are determined via grid search.

Key Experimental Results

Main Results

Trigger Type	Method	Clean Success Rate	Attack Success Rate
Object State	BadVLA	High	Low
Object State	FlowHijack	High	High
Scene Semantics	BadVLA	Medium	Low
Scene Semantics	FlowHijack	High	High

Ablation Study

Configuration	Key Metric	Remarks
No τ-conditional constraint	Clean performance degraded	Full-range injection disrupts normal behavior
No dynamic imitation	Kinematic anomalies	Malicious action velocity profile is abnormal
Pose-Locking	Fixed pose	Robot is paralyzed but conspicuous
Initial-Perturbation	Persistent deviation	More stealthy task failure

Key Findings

• FlowHijack can bypass existing defenses (target location filtering, downstream clean fine-tuning), highlighting the need for new dynamics-aware defenses.
• The Initial-Perturbation strategy is more stealthy than Pose-Locking—persistent small deviations cause the robot to reliably miss its target while appearing to move normally.
• Real-world experiments validate the attack's effectiveness in physical environments.

Highlights & Insights

• "Early Injection, Full-Path Amplification" Strategy: Cleverly exploits the properties of the ODE solver to inject the most effective bias at the least conspicuous stage.
• Dynamic Imitation Regularization: Pushes security analysis toward the statistical properties of vector fields, rendering the attack undetectable by conventional position/velocity inspection.
• Context-Aware Trigger Design: The object-state and scene-semantic triggers demonstrate the physical feasibility of AI security threats.

Limitations & Future Work

• As an attack paper, it necessitates the concurrent development of corresponding defense mechanisms.
• The controllability of triggers in real-world deployment is constrained by the physical environment.
• Evaluation is limited to the LIBERO simulation and a single real-robot environment.

Related Work & Insights

• vs. BadVLA: BadVLA targets discrete-token VLAs; FlowHijack is the first to attack the vector field dynamics of continuous flow-matching VLAs.
• vs. Adversarial Attacks: Adversarial attacks modify the input, whereas FlowHijack modifies the generative dynamics of the model.

Rating

• Novelty: ⭐⭐⭐⭐⭐ First to expose the vector field attack surface of flow-matching VLAs.
• Experimental Thoroughness: ⭐⭐⭐⭐ Comprehensive evaluation across simulation, real-world environments, and ablation studies.
• Writing Quality: ⭐⭐⭐⭐ Attack motivation and design are presented clearly.
• Value: ⭐⭐⭐⭐⭐ An important warning for the field of robot safety.

Related Papers

• [CVPR 2026] IAG: Input-aware Backdoor Attack on VLM-based Visual Grounding
• [CVPR 2026] Thinking in Dynamics: How Multimodal Large Language Models Perceive, Track, and Reason Dynamics in Physical 4D World
• [CVPR 2026] Aligning What Vision-Language Models See and Perceive with Adaptive Information Flow
• [CVPR 2026] Mixture of States (MoS): Routing Token-Level Dynamics for Multimodal Generation
• [CVPR 2026] Devil is in Narrow Policy: Unleashing Exploration in Driving VLA Models