🤖 Humanoid 🦾 Industrial & Cobot 🚚 AGV / AMR 🐕 Quadruped ⚙️ Reducers · Servos · Sensors 🚁 Drones & Autonomy 🧠 Embodied AI
Robos News
Robotics

Trajectory-Level Redirection Attacks on Vision-Language-Action Models

arXiv:2606.12978v1 Announce Type: new Abstract: Vision-language-action (VLA) policies bring natural language into closed-loop robot control, enabling robots to execute manipulation tasks directly from text instructions. The same interface gives text a recurring role in control because the prompt is reused at every replanning step, and each prompt-conditioned action changes the future observations on which the policy acts. Existing VLA attacks study adversarial prompts that elicit targeted low-l

RN
Robos News Newsroom
Editorial Desk
· 2 min read
𝕏 in

Trajectory-Level Redirection Attacks on Vision-Language-Action Models

Published June 12, 2026 · Category: Robotics

Overview

arXiv:2606.12978v1 Announce Type: new Abstract: Vision-language-action (VLA) policies bring natural language into closed-loop robot control, enabling robots to execute manipulation tasks directly from text instructions. The same interface gives text a recurring role in control because the prompt is reused at every replanning step, and each prompt-conditioned action changes the future observations on which the policy acts. Existing VLA attacks study adversarial prompts that elicit targeted low-level actions or make such actions persist across changing images. We identify a stronger trajectory-level failure mode: a prompt that still $\textit{appears}$ to specify the intended task but redirects the final physical outcome. We mathematically formalize this setting as $\textit{command-preserving trajectory redirection}$, a prompt-only threat model in which the attacker chooses one prompt before the episode, all policy and environment components remain fixed, and the prompt must stay close to the benign instruction while omitting target words and correction language. To find such prompts, we introduce an on-policy prompt search method that uses rollouts to discover perturbations whose closed-loop behavior tracks a target task while satisfying the command-preserving constraints. Experiments in simulation and on hardware show that near-benign prompt perturbations can redirect VLA rollouts to attacker-specified targets. These results expose a trajectory-level vulnerability in VLA instruction grounding: text that appears to preserve the intended command can still give an adversary control over the robot's final physical outcome. Project website: https://vla-redirection-attack.github.io/

Source

Originally published at arxiv.org.

Related Articles

Source: https://arxiv.org/abs/2606.12978

CD
Robos News Newsroom

Robos News covers markets, crypto and commodities for Asia & the Middle East — tier-1 desk research, AI-driven analysis, institutional-grade data. Tip our newsroom: [email protected]

Email the newsroom →
Disclaimer: This article is for informational purposes only and does not constitute investment advice. Data may be delayed up to 15 minutes. Past performance is not indicative of future results. Consult a licensed financial advisor before making investment decisions.

Related Stories

More from News →
MassRobotics announces the winners of 2026 Robotics Medal and Rising Star awards
Robotics

MassRobotics announces the winners of 2026 Robotics Medal and Rising Star awards
AI in Warehousing: Akash Gupta’s vision for the future
Robotics

AI in Warehousing: Akash Gupta’s vision for the future
Robotics Summit panel explores the state of humanoid robot design
Robotics

Robotics Summit panel explores the state of humanoid robot design
Gatik to bring autonomous freight to PepsiCo’s North American supply chain
Robotics

Gatik to bring autonomous freight to PepsiCo’s North American supply chain