Anthropic's Claude Mythos Finds Over 10,000 High-Severity Flaws

Anthropic disclosed on May 23 that its Project Glasswing initiative has uncovered more than 10,000 high- or critical-severity vulnerabilities in widely used software since launching last month. The effort relies on exclusive early access to Claude Mythos Preview, a frontier model granted to roughly 50 partner organizations for defensive security research.

Of the vulnerabilities identified, 6,202 were classified as high- or critical-severity and affected more than 1,000 open-source projects. Validation confirmed 1,726 as true positives, including 1,094 rated high- or critical-severity. One example is CVE-2026-5194 in WolfSSL, a critical flaw with a CVSS score of 9.1 that could enable certificate forgery. The project has resulted in 97 upstream patches and 88 security advisories so far.

Anthropic noted the disparity between rapid discovery and slower remediation as a core challenge. Partners have reported each finding hundreds of critical or high-severity issues in their own codebases. The model has also assisted a partner bank in detecting and blocking a fraudulent $1.5 million wire transfer stemming from a compromised email account.

Independent evaluations, including from XBOW, describe Mythos Preview as substantially better than prior models at generating vulnerability candidates and analyzing code with a security focus. Anthropic has launched a Cyber Verification Program allowing security professionals to use its models without standard guardrails for authorized vulnerability research and penetration testing. The company urged developers to accelerate patch cycles and adopt faster deployment timelines, citing similar shifts at vendors such as Oracle and Microsoft.

Broader coverage from outlets including Engadget and The Next Web confirms the scale of findings and highlights rising patch volumes across the industry. Anthropic emphasized that while Glasswing provides an asymmetric advantage to key defenders, organizations must strengthen default configurations, enforce multi-factor authentication, and maintain detailed logs to keep pace with AI-driven discovery capabilities.