FlowHijack: A Dynamics-Aware Backdoor Attack on Flow-Matching Vision-Language-Action Models

A research team led by Xinyuan An has unveiled FlowHijack, a novel backdoor attack framework specifically designed to exploit the unique dynamics of flow-matching Vision-Language-Action (VLA) models. These models, such as π₀, represent the cutting edge in robotics AI, generating smooth, continuous actions by learning vector fields rather than discrete outputs. FlowHijack combines a τ-conditioned injection strategy—which manipulates the initial phase of action generation—with a dynamics mimicry regularizer that ensures malicious actions maintain kinematic similarity to normal behavior. This approach fundamentally differs from previous attacks designed for autoregressive models, directly targeting the underlying physics of continuous control systems.

Experiments demonstrate that FlowHijack achieves high attack success rates using context-aware triggers where traditional methods fail completely. Crucially, the attack preserves benign task performance while generating malicious actions that are behaviorally indistinguishable from normal operations. The research, accepted at CVPR 2026, reveals that the very mechanism that makes flow-matching VLAs powerful—their continuous dynamics—creates a previously unexplored security vulnerability. This finding highlights an urgent need for new defense mechanisms specifically designed to protect the internal generative dynamics of embodied AI systems, as current security approaches are insufficient against this type of physics-aware attack.