top of page

Anthropic's Claude Mythos AI Uncovers 10,000+ Critical Software Vulnerabilities in First Month

  • May 26
  • 3 min read

Key Findings


  • Project Glasswing, Anthropic's month-old initiative using Claude Mythos AI, uncovered over 10,000 high or critical-severity vulnerabilities in systemically important software

  • Partner bug discovery rates increased more than tenfold, with Cloudflare identifying 2,000 bugs across critical systems

  • Independent security evaluations confirmed over 90% validity of flagged vulnerabilities, with over 62% confirmed as high or critical severity

  • A critical certificate forgery flaw (CVE-2026-5194) was discovered in wolfSSL, used by five billion devices, rated 9.3 out of 10 in severity

  • The bottleneck has shifted from finding vulnerabilities to patching them, with human capacity for triage and deployment now the limiting factor

  • Anthropic is keeping Mythos private and has not released it publicly due to serious misuse potential


Background


Anthropic launched Project Glasswing in April 2026 as a defensive cybersecurity initiative to test Claude Mythos Preview, a frontier AI model designed to identify security weaknesses in widely used software. The program operates with about 50 restricted partners and represents one of the first large-scale evaluations of what advanced AI can accomplish when applied to critical code at scale.


Dramatic Increase in Vulnerability Detection


The results have been striking. Multiple partners reported their bug discovery rates jumped more than tenfold compared to previous methods. Cloudflare's experience is particularly notable, finding 2,000 bugs across critical-path systems, with 400 rated as high or critical severity. The company noted the false-positive rate was better than that of human testers. Mozilla's findings were similarly impressive, discovering 271 vulnerabilities in Firefox 150 during testing with Mythos, more than ten times the number found in Firefox 148 using an earlier Anthropic model.


Critical Real-World Impact


Beyond laboratory findings, Mythos demonstrated tangible security value. At an unnamed partner bank, the model helped detect and prevent a fraudulent $1.5 million wire transfer that occurred after a customer's email was compromised and followed by spoofed phone calls. This case underscores how AI-driven vulnerability detection can prevent active threats before they cause damage.


Validation from Independent Sources


External evaluations provided independent verification of Mythos's capabilities. The United Kingdom's AI Security Institute confirmed Mythos was the first model to solve both of its cyber range simulations from end to end. XBOW, an AI-powered security platform, called it a significant step up over existing systems on web exploit benchmarks. When six independent security research firms reviewed 1,752 high or critical-rated findings from Anthropic's open-source scanning, over 90% were confirmed as valid.


The wolfSSL Discovery


Among the most critical findings was the identification of CVE-2026-5194, a certificate forgery vulnerability in wolfSSL, an open-source encryption library used across five billion devices including smart gadgets and routers. The flaw carries a severity rating of 9.3 out of 10, with some researchers rating it maximum severity. Mythos even demonstrated how attackers could exploit this to forge digital identities and create convincing fake banking websites.


The Patching Bottleneck


While Mythos excels at finding flaws, a significant gap has emerged between discovery and remediation. The report states that the bottleneck is now human capacity to triage, report, and design patches for vulnerabilities. Although the average bug fix takes two weeks, the sheer volume uncovered has created a substantial backlog. Palo Alto Networks, Microsoft, and Oracle are among the companies rolling out fixes faster than usual, yet the rate of discovery still outpaces their ability to respond.


Quality Concerns in Open-Source Communities


Anthropic scanned over 1,000 open-source projects and flagged 23,019 potential vulnerabilities, with 6,202 estimated as high or critical. Open-source maintainers have been dealing with waves of low-quality, AI-generated bug reports in general, so Anthropic attempts to reproduce and assess each issue before reporting. In some cases at maintainers' request, Anthropic disclosed bugs with less vetting, reporting 1,129 such cases, with the model estimating 175 to be high or critical.


Security Concerns Preventing Public Release


Anthropic has deliberately kept Mythos-class models private, stating that no company has yet developed adequate safeguards to prevent serious misuse. An AI system capable of finding vulnerabilities at this scale could be weaponized if made widely available. Instead, Anthropic has released Claude Security in public beta for enterprise customers, which has been used to patch over 2,100 vulnerabilities in three weeks using the publicly available Claude Opus 4.7.


Future Plans and Broader Strategy


The company plans to expand Project Glasswing with additional partners, including U.S. and allied governments, before any broader release of the underlying model. Anthropic has also launched a Cyber Verification Program for security professionals. The company emphasizes that while Glasswing gives systemically important cyber defenders an asymmetric advantage, there is an urgent need for as many organizations as possible to strengthen their defenses using the available tools and resources being provided.


Sources


  • https://cyberscoop.com/anthropic-mythos-software-flaws-glasswing/

  • https://hackread.com/claude-mythos-ai-vulnerabilities-one-month/

  • https://www.engadget.com/2180028/anthropic-claude-mythos-preview-project-glasswing-update

  • https://www.investing.com/news/stock-market-news/anthropic-finds-over-10000-software-flaws-in-first-month-of-project-glasswing-93CH-4707347

  • https://www.instagram.com/p/DYq3C6QjzqV

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page