Anthropic's Claude Mythos AI Uncovers 10,000+ Critical Software Vulnerabilities in First Month
- May 26
- 3 min read
Key Findings
Project Glasswing, Anthropic's month-old initiative using Claude Mythos AI, uncovered over 10,000 high or critical-severity vulnerabilities in systemically important software
Partner bug discovery rates increased more than tenfold, with Cloudflare identifying 2,000 bugs across critical systems
Independent security evaluations confirmed over 90% validity of flagged vulnerabilities, with over 62% confirmed as high or critical severity
A critical certificate forgery flaw (CVE-2026-5194) was discovered in wolfSSL, used by five billion devices, rated 9.3 out of 10 in severity
The bottleneck has shifted from finding vulnerabilities to patching them, with human capacity for triage and deployment now the limiting factor
Anthropic is keeping Mythos private and has not released it publicly due to serious misuse potential
Background
Anthropic launched Project Glasswing in April 2026 as a defensive cybersecurity initiative to test Claude Mythos Preview, a frontier AI model designed to identify security weaknesses in widely used software. The program operates with about 50 restricted partners and represents one of the first large-scale evaluations of what advanced AI can accomplish when applied to critical code at scale.
Dramatic Increase in Vulnerability Detection
The results have been striking. Multiple partners reported their bug discovery rates jumped more than tenfold compared to previous methods. Cloudflare's experience is particularly notable, finding 2,000 bugs across critical-path systems, with 400 rated as high or critical severity. The company noted the false-positive rate was better than that of human testers. Mozilla's findings were similarly impressive, discovering 271 vulnerabilities in Firefox 150 during testing with Mythos, more than ten times the number found in Firefox 148 using an earlier Anthropic model.
Critical Real-World Impact
Beyond laboratory findings, Mythos demonstrated tangible security value. At an unnamed partner bank, the model helped detect and prevent a fraudulent $1.5 million wire transfer that occurred after a customer's email was compromised and followed by spoofed phone calls. This case underscores how AI-driven vulnerability detection can prevent active threats before they cause damage.
Validation from Independent Sources
External evaluations provided independent verification of Mythos's capabilities. The United Kingdom's AI Security Institute confirmed Mythos was the first model to solve both of its cyber range simulations from end to end. XBOW, an AI-powered security platform, called it a significant step up over existing systems on web exploit benchmarks. When six independent security research firms reviewed 1,752 high or critical-rated findings from Anthropic's open-source scanning, over 90% were confirmed as valid.
The wolfSSL Discovery
Among the most critical findings was the identification of CVE-2026-5194, a certificate forgery vulnerability in wolfSSL, an open-source encryption library used across five billion devices including smart gadgets and routers. The flaw carries a severity rating of 9.3 out of 10, with some researchers rating it maximum severity. Mythos even demonstrated how attackers could exploit this to forge digital identities and create convincing fake banking websites.
The Patching Bottleneck
While Mythos excels at finding flaws, a significant gap has emerged between discovery and remediation. The report states that the bottleneck is now human capacity to triage, report, and design patches for vulnerabilities. Although the average bug fix takes two weeks, the sheer volume uncovered has created a substantial backlog. Palo Alto Networks, Microsoft, and Oracle are among the companies rolling out fixes faster than usual, yet the rate of discovery still outpaces their ability to respond.
Quality Concerns in Open-Source Communities
Anthropic scanned over 1,000 open-source projects and flagged 23,019 potential vulnerabilities, with 6,202 estimated as high or critical. Open-source maintainers have been dealing with waves of low-quality, AI-generated bug reports in general, so Anthropic attempts to reproduce and assess each issue before reporting. In some cases at maintainers' request, Anthropic disclosed bugs with less vetting, reporting 1,129 such cases, with the model estimating 175 to be high or critical.
Security Concerns Preventing Public Release
Anthropic has deliberately kept Mythos-class models private, stating that no company has yet developed adequate safeguards to prevent serious misuse. An AI system capable of finding vulnerabilities at this scale could be weaponized if made widely available. Instead, Anthropic has released Claude Security in public beta for enterprise customers, which has been used to patch over 2,100 vulnerabilities in three weeks using the publicly available Claude Opus 4.7.
Future Plans and Broader Strategy
The company plans to expand Project Glasswing with additional partners, including U.S. and allied governments, before any broader release of the underlying model. Anthropic has also launched a Cyber Verification Program for security professionals. The company emphasizes that while Glasswing gives systemically important cyber defenders an asymmetric advantage, there is an urgent need for as many organizations as possible to strengthen their defenses using the available tools and resources being provided.
Sources
https://cyberscoop.com/anthropic-mythos-software-flaws-glasswing/
https://hackread.com/claude-mythos-ai-vulnerabilities-one-month/
https://www.engadget.com/2180028/anthropic-claude-mythos-preview-project-glasswing-update
https://www.investing.com/news/stock-market-news/anthropic-finds-over-10000-software-flaws-in-first-month-of-project-glasswing-93CH-4707347
https://www.instagram.com/p/DYq3C6QjzqV

Comments