Claude Mythos finds 10,000+ high‑severity software flaws

Anthropic disclosed that about 50 partners participating in Project Glasswing used the Claude Mythos Preview model to scan widely used software and identified more than 10,000 candidate vulnerabilities since the effort launched last month.

Initial triage labeled 6,202 candidates as high- or critical‑severity and implicated code in over 1,000 open-source projects. Follow-up analysis confirmed 1,726 valid vulnerabilities, of which 1,094 were assessed as high or critical. So far 97 issues have been patched upstream and 88 advisories published.

One high-profile finding was a critical WolfSSL flaw tracked as CVE-2026-5194 with a CVSS score of 9.1. Anthropic reported the flaw could allow an attacker to forge certificates and impersonate legitimate services.

In an operational example, a banking partner used the model to detect and stop a fraudulent $1.5 million wire transfer after an attacker breached a customer email account and made spoofed phone calls.

Project Glasswing gives a small set of vetted partners access to Claude Mythos Preview, a frontier model built to analyze source code and software components with a security focus. Independent security vendors described the model as substantially better than earlier systems at finding candidate flaws and linking them into attack chains.

Anthropic acknowledged the gap between finding and fixing vulnerabilities: “The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity.” The company urged developers and operators to shorten patch cycles, harden default configurations, enforce multi-factor authentication and keep detailed logs for detection and response.

The company has launched a Cyber Verification Program that lets vetted security professionals run the models without usual guardrails for legitimate work such as vulnerability research, penetration testing and red teaming. Anthropic noted models like Mythos Preview are not being released to the public because current safeguards are seen as insufficient to prevent large-scale misuse.

Some software vendors are already changing practices in response to faster AI-assisted discovery. Oracle moved to a monthly patch cadence for critical issues, and Microsoft has warned the number of monthly patches it expects to release will increase. Anthropic added these trends increase the need for organizations to accelerate patching and operational defenses.

Project Glasswing is part of a broader rise in AI-assisted vulnerability discovery that has accelerated flaw identification across open-source and commercial software and is prompting vendors and defenders to speed testing and deployment of fixes.