VYPR
researchPublished May 23, 2026· Updated Jun 2, 2026· 10 sources

Anthropic's Project Glasswing Uncovers Over 10,000 High-Severity Vulnerabilities Using Claude Mythos AI

Anthropic's Project Glasswing has discovered over 10,000 high- or critical-severity vulnerabilities in widely used software using its Claude Mythos AI model, marking a major leap in automated vulnerability research.

Anthropic on Friday disclosed that Project Glasswing, a cybersecurity initiative leveraging its Claude Mythos AI model, has uncovered more than 10,000 high- or critical-severity vulnerabilities across systemically important software since launching last month. The effort involves about 50 partner organizations, including banks and security firms, that have been granted access to the frontier model to find flaws in widely used codebases.

Of the vulnerabilities identified, 6,202 were classified as high- or critical-severity, impacting over 1,000 open-source projects. Subsequent validation confirmed 1,726 as true positives, with 1,094 assessed as high- or critical-severity. One notable finding is a critical flaw in WolfSSL (CVE-2026-5194, CVSS 9.1) that could allow certificate forgery. So far, 97 findings have been patched upstream, and 88 advisories have been issued.

Anthropic acknowledged the challenge: "The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity." The company urged software vendors to shorten patch cycles, noting that Microsoft has already seen a surge in patches due to AI-assisted discovery. Autonomous security platform XBOW described Mythos Preview as "a major advance" that is "substantially better than prior models at finding vulnerability candidates."

Beyond vulnerability discovery, Mythos Preview has demonstrated practical utility. In one case, a partner bank used the AI to detect and prevent a fraudulent $1.5 million wire transfer after a threat actor breached a customer's email account. This highlights the model's potential for real-time fraud detection and response.

Given that models with similar capabilities could become broadly available soon, Anthropic is urging organizations to harden their defenses. Recommendations include shortening patch testing and deployment timelines, enforcing multi-factor authentication, and maintaining comprehensive logs. The company has also launched a Cyber Verification Program, allowing security professionals to use its models without guardrails for legitimate research, similar to OpenAI's Daybreak initiative.

However, models like Mythos Preview and GPT-5.5-Cyber have not been released publicly due to concerns about inadequate safeguards against misuse at scale. Anthropic emphasized that Project Glasswing aims to give systemically important defenders an asymmetric advantage while urging broader adoption of security best practices.

The development comes amid a broader trend of AI-driven vulnerability discovery reshaping the cybersecurity landscape. As AI models become more capable, the gap between finding and fixing vulnerabilities may widen, necessitating faster patch cycles and more proactive defense measures.

The article adds that Anthropic partnered with over 50 organizations including Microsoft, Apple, Google, and Cloudflare, with Cloudflare alone finding 2,000 bugs. It also details that of 1,596 vetted findings reported to maintainers, only 97 have been patched, highlighting the industry's inability to keep pace with AI-driven vulnerability discovery. Additionally, Anthropic launched Claude Security in public beta using the Opus 4.7 model to help enterprises patch vulnerabilities while Mythos remains restricted.

Anthropic has now publicly stated its intention to eventually release Mythos-class models to the general public once sufficiently strong safeguards are developed, acknowledging that no current protections are adequate to prevent misuse. The company's latest update reveals Mythos has scanned over 1,000 open-source projects, finding 6,202 high-or-critical-severity vulnerabilities (23,019 total), with 90.6% of reported flaws confirmed valid. A critical flaw in the wolfSSL cryptography library (CVE-2026-5194) was exploited by Mythos to forge certificates, though a patch has already been released. Anthropic also notes that the flood of AI-discovered bugs is overwhelming maintainers, with only 75 of 530 high-or-critical bugs patched so far.

An updated tally from Anthropic now shows Mythos Preview has identified over 23,000 potential vulnerabilities across more than 1,000 OSS projects, with 1,726 confirmed by external security firms — more than 1,000 rated high or critical. The company estimates the final count of critical and high-severity flaws could reach 6,200 as scans continue. So far, 75 critical or high-severity issues have been patched, and 65 security advisories have been published, though Anthropic notes the patch rate is low due to the early stage of its 90-day disclosure window and the strain on the security ecosystem.

Anthropic disclosed that Mythos identified a critical vulnerability in wolfSSL, a cryptography library embedded in billions of devices, and constructed a working exploit capable of forging TLS certificates to impersonate banks or email providers. The company also revealed that patching has become a bottleneck, with open-source maintainers struggling to triage the flood of AI-discovered flaws, prompting a partnership with the Open Source Security Foundation's Alpha-Omega project. Additionally, Anthropic launched Claude Security in public beta and a Cyber Verification Program to help approved security teams use its models with fewer restrictions.

In a detailed update from partners, Cloudflare identified 2,000 bugs (400 high/critical) across its critical-path systems and noted that Mythos's false-positive rate rivaled human testers, while Mozilla fixed 271 vulnerabilities in Firefox 150 — more than ten times what an earlier Anthropic model found in Firefox 148. The UK AI Security Institute reported Mythos Preview was the first model to solve both of its cyber ranges end-to-end. Anthropic also revealed that of 1,752 reviewed high- or critical-rated findings, over 90% were confirmed valid, though the company acknowledged a widening gap between AI-driven discovery and human capacity to patch every flaw.

Anthropic has officially offered ENISA, the European Union's cybersecurity agency, access to its Mythos AI model through Project Glasswing. This follows earlier reports and signifies a move towards greater collaboration between AI developers and European cybersecurity bodies, addressing concerns about the continent being left vulnerable to advanced AI-driven vulnerability discovery.

Anthropic is significantly expanding Project Glasswing's reach by extending access to Claude Mythos Preview to approximately 150 new organizations across more than fifteen countries, including critical infrastructure sectors and open-source maintainers. This expansion follows initial success where early partners identified over 10,000 high-severity flaws, and now includes broader defensive tasks like automated patch writing and pre-release security checks.

Anthropic is significantly expanding access to its Project Glasswing program, adding approximately 150 new organizations across 15 countries. This expansion broadens the initiative's reach into underrepresented sectors such as power, water, and healthcare, many of which are critical infrastructure providers. The program's Claude Mythos Preview model has already identified over 10,000 high- or critical-severity bugs since its April launch, with new partners reporting substantial increases in their vulnerability discovery rates.

Cisco has detailed its own use of Anthropic's Claude Mythos Preview and OpenAI's GPT 5.5-Cyber, reporting that these AI models scanned 1.8 billion lines of code across its product portfolio in just eight weeks. While the company praised the speed and scale of the findings, it notably did not disclose the total number of vulnerabilities uncovered or confirm if all identified flaws have been remediated, unlike Palo Alto Networks' earlier report on Mythos usage.

Synthesized by Vypr AI