Skip to main content
CybersecurityVulnerability Management

AI Model Exposes 10,000 High-Severity Flaws in Widely Used Software

Blurred computer screen in foreground, rows of servers and workstations in background.

Anthropic disclosed that Project Glasswing “has helped uncover more than 10,000 high- or critical-severity vulnerabilities” in widely used software since the initiative went live last month.

Project Glasswing and Claude Mythos Preview

Project Glasswing is an Anthropic-led cybersecurity initiative that granted a small set of about 50 partners access to Claude Mythos Preview, a frontier AI model designed to find vulnerabilities in widely used software. Anthropic said the program targets what it called some of the most "systemically" important software across the world, and that the initiative began producing results shortly after going live last month.

The scale, classification, and validation of findings

Anthropic reported that more than 10,000 high- or critical-severity vulnerability candidates were uncovered by the effort. Of those, 6,202 were initially classified as high- or critical-severity and affected more than 1,000 open-source projects. Subsequent analysis identified 1,726 valid true positives; 1,094 of those valid findings were assessed to be either high- or critical-severity.

Anthropic quantified remediation outcomes so far: 97 findings were patched upstream and 88 advisories were issued. The company framed the raw numbers as evidence of an imbalance: "The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity," Anthropic said.

Notable technical discoveries and operational remediation

Among the flaws flagged by Glasswing was a critical vulnerability in WolfSSL tracked as CVE-2026-5194, with a CVSS score of 9.1, which Anthropic said could allow an attacker to forge certificates and masquerade as a legitimate service. Anthropic also described downstream operational outcomes: in one case a Glasswing partner bank used the model to detect and prevent a fraudulent $1.5 million wire transfer that began after an unknown threat actor breached a customer's email account and made spoof phone calls.

AI capability, availability, and safety measures

Independent security vendors and platform makers flagged Mythos Preview’s technical step-change. Autonomous offensive security platform XBOW described Mythos Preview as "a major advance" that is "substantially better than prior models at finding vulnerability candidates" and "adept at analyzing source code with a security mindset." Anthropic added that the model can also excel at turning vulnerabilities into end-to-end attack chains.

Anthropic said it has launched a Cyber Verification Program that allows security professionals to use its models without guardrails for legitimate tasks such as vulnerability research, penetration testing, and red teaming. The company likened this to OpenAI's Daybreak, which enables defenders to leverage GPT-5.5-Cyber for specialized workflows.

Despite that capability, Anthropic acknowledged models with similar powers have not been released to the public, saying they remain withheld because "there currently exist no adequate safeguards to prevent their misuse at a large scale."

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: Anthropic urged developers and defenders to shorten patch testing and deployment timelines and to harden default configurations, enforce multi-factor authentication, and keep comprehensive logs for detection and response.
  • Vendors and patch managers: The report noted industry movement toward increased patch cadence—Microsoft said the number of new patches it expects to release on a monthly basis will "continue trending larger for some time," and Oracle recently shifted to a monthly patch cycle to address critical security issues.
  • Enterprises and financial institutions: The Glasswing partner bank’s prevented $1.5 million fraudulent transfer illustrates a real-world benefit reported by Anthropic, and underscores the tactical value some organizations may find in AI-assisted detection when applied under controlled conditions.

Anthropic framed Project Glasswing as offering an asymmetric advantage to defenders while warning that discovery will outpace repair unless organizations change practices: "Network defenders should shorten their patch testing and deployment timelines," the company said. It also expressed a forward-looking intent: "We hope that our generally available models, and the new tools, resources, and research we're providing to accompany them, will support those organizations to improve their cybersecurity posture."

The raw totals—more than 10,000 candidates, thousands classified high or critical, and just under two thousand validated—leave a clear, concrete test for the coming months: will the increased discovery driven by AI be matched by faster upstream fixes, broader advisories, and the operational controls Anthropic recommends? If not, Anthropic’s own framing warns, the ease of finding vulnerabilities could become a persistent problem rather than a solution.

Original story