Anthropic's Claude Mythos Finds 10,000 High-Severity Flaws in Software

Anthropic's Project Glasswing initiative has uncovered more than 10,000 high- or critical-severity vulnerabilities across systemically important software globally since its launch last month. The defensive AI effort grants approximately 50 partners exclusive early access to Claude Mythos Preview, a frontier model designed to autonomously identify security weaknesses in widely-deployed software before threat actors can exploit them. Of the identified vulnerabilities, 6,202 have been classified as high- or critical-severity flaws impacting over 1,000 open-source projects. Validation efforts have confirmed 1,726 as true positives, with 1,094 assessed as high- or critical-severity issues requiring immediate attention.

One critical discovery includes a severe flaw in WolfSSL (CVE-2026-5194, CVSS score: 9.1) that could enable attackers to forge certificates and impersonate legitimate services. The initiative has already resulted in 97 findings being patched upstream and 88 security advisories issued. Anthropic acknowledges that while vulnerability discovery has become more efficient through AI assistance, the difficulty of fixing these issues remains a significant challenge for the cybersecurity industry. The company is urging software developers to shorten patch cycles and make security fixes available more rapidly, citing Oracle's recent shift to a monthly patch cycle for critical issues as an industry model.

Autonomous offensive security platform XBOW has described Mythos Preview as "a major advance" substantially outperforming prior models at identifying vulnerability candidates and analyzing source code with a security-focused approach. The model's capabilities extend beyond traditional vulnerability hunting—in one instance, a Glasswing partner bank leveraged it to detect and prevent a fraudulent $1.5 million wire transfer after an unknown threat actor compromised a customer's email account and conducted spoofed phone calls. Organizations should consider implementing robust security validation processes, including tools like SSL/TLS checker and port scanner, to proactively identify and remediate vulnerabilities before they can be exploited. Developers and network defenders are encouraged to shorten patch testing and deployment timelines as AI-assisted vulnerability discovery continues to accelerate across the industry.