Anthropic's Project Glasswing Update: Mythos AI Uncovers Over 10,000 Critical Vulnerabilities in One Month, Highlighting Urgent Cybersecurity Risks

Anthropic has released an initial progress report on Project Glasswing, its collaborative initiative to secure the world's most critical software infrastructure before advanced AI models can be weaponized against it. The update, published on May 22, 2026, details the early results of deploying Claude Mythos Preview — an unreleased frontier model optimized for vulnerability discovery — to approximately 50 trusted partners.

Anthropic's Project Glasswing Update: Mythos AI Uncovers Over 10,000 Critical Vulnerabilities in One Month, Highlighting Urgent Cybersecurity Risks The findings are sobering. In just one month, partners using Mythos Preview have collectively identified more than 10,000 high- or critical-severity vulnerabilities across systemically important codebases.

Most partners reported discovering hundreds of such issues in their own software, with several noting that their bug-detection rate increased by more than a factor of ten. The primary challenge has shifted from finding vulnerabilities to verifying, disclosing, and patching them.

Cloudflare provided a striking example: the company scanned its critical-path systems and uncovered 2,000 vulnerabilities, of which 400 were high- or critical-severity. Cloudflare's security team noted that the false-positive rate was lower than what they typically see from human testers.

Anthropic's Project Glasswing Update: Mythos AI Uncovers Over 10,000 Critical Vulnerabilities in One Month, Highlighting Urgent Cybersecurity Risks Other partners echoed the impact. Mozilla fixed 271 vulnerabilities in Firefox 150 — more than ten times the number found in the previous release using an earlier Claude model. Palo Alto Networks shipped over five times its usual number of patches in its latest release, while Oracle reported fixing vulnerabilities multiple times faster than before.

Skeptics have questioned whether Mythos generates excessive false positives or “noise.” Anthropic directly addressed this by turning the model loose on open source. It scanned more than 1,000 major repositories that form the backbone of the modern internet. The scan surfaced 23,019 vulnerabilities in total (including medium- and low-severity issues), with 6,202 estimated to be high- or critical-severity.

To ensure reliability, 1,752 high- or critical-rated findings were subjected to rigorous independent review by six cybersecurity research firms or by Anthropic. Results showed a 90.6% true-positive confirmation rate (1,587 validated issues), and 62.4% of the assessed subset (1,094 vulnerabilities) were confirmed as high or critical severity.

Anthropic's Project Glasswing Update: Mythos AI Uncovers Over 10,000 Critical Vulnerabilities in One Month, Highlighting Urgent Cybersecurity Risks Some discoveries carry severe real-world consequences. In one case, Mythos Preview identified a vulnerability in the wolfSSL cryptography library — used by billions of devices worldwide — and autonomously generated a working exploit.

The exploit allows an attacker to forge certificates, enabling the creation of fake bank or email-provider websites that appear completely legitimate to users and browsers alike (no warnings shown). The flaw received CVE-2026-5194 and has since been patched.

Anthropic's Project Glasswing Update: Mythos AI Uncovers Over 10,000 Critical Vulnerabilities in One Month, Highlighting Urgent Cybersecurity Risks The volume of findings has overwhelmed security teams. On average, patching a high- or critical-severity bug discovered by Mythos Preview takes two weeks. Some open-source maintainers, facing a deluge of reports and limited resources, have asked Anthropic to slow the pace of disclosures so they can keep up with patch development.

To date, only a fraction of the reported high/critical issues have been fully patched and publicly disclosed, partly because the standard 90-day coordinated vulnerability disclosure window is still in progress.

These results come with a broader warning. Anthropic states unequivocally that no company — including itself —has yet developed safeguards reliable enough to prevent the malicious use of models with Mythos-level capabilities. That is why public access to the model remains closed.

Anthropic's Project Glasswing Update: Mythos AI Uncovers Over 10,000 Critical Vulnerabilities in One Month, Highlighting Urgent Cybersecurity Risks Project Glasswing was launched precisely to give defenders an asymmetric advantage: by hardening critical code now, the industry can reduce the risk that, once similar AI capabilities spread without controls, exploiting flawed software will become dramatically cheaper and easier for anyone in the world.

The initial update makes one thing clear: the age of AI-assisted vulnerability discovery has arrived. The bottleneck is no longer finding bugs — it is fixing them fast enough.

As Mythos and future models continue to evolve, the software ecosystem will need to adapt rapidly to this new reality. Project Glasswing represents a proactive first step, but the clock is ticking for the rest of the industry to catch up.