Does AI Reviewer See the Full Picture? Attacking and Defending Multimodal Peer Review

Large language models (LLMs) and multimodal LLMs (MLLMs) are being rapidly integrated into scientific peer review, with major conferences such as AAAI, ICML, and NeurIPS now piloting AI-generated reviews. Yet this creates a new attack surface: an adversary can manipulate a submission to corrupt the AI reviewer's judgment. This threat is distinct from standard jailbreaking as the goal is not a general safety violation but a domain-specific, targeted failure such as inflating a paper's score. Existing AI reviewer robustness studies mainly focus on text, while the figures, tables, and charts modalities also carry core scientific evidence to human review process. To address this gap, we introduce PaperGuard, the first comprehensive benchmark to systematically attack and defend multimodal AI peer review: a multimodal peer-review dataset of 1,136 papers spanning AI/ML and broader scientific domains; a unified attack suite combining black-box prompt injection with white-box gradient-based perturbations on both text (GCG) and figures (PGD); and a lightweight, practical defense based on chunk-based embedding search that localizes hidden malicious instructions within long documents. Our experiments reveal pervasive vulnerability: black-box prompt injection achieves up to 80% attack success rate against powerful proprietary models, and stronger models are often more susceptible due to their superior instruction-following. Imperceptible perturbations to a single figure inflate review scores by up to +14.11 points, confirming the insufficiency of text-only safeguards, and these visual attacks transfer across model architectures and scales without gradient access to the target. Our defense approach reaches 95.0% detection accuracy, and detects all real-world hidden prompt injections found in the wild.