Anthropic’s Claude Mythos AI Uncovers Thousands of Unpatched Security Vulnerabilities
Anthropic made a startling announcement on April 7, 2026. Its latest AI model, the Claude Mythos Preview, has unearthed thousands of zero-day vulnerabilities across all major operating systems and web browsers. This revelation has led the company to limit its release due to serious cybersecurity concerns.
The Mythos Preview, during its testing phase, autonomously detected and exploited critical security flaws. These included a 27-year-old vulnerability in OpenBSD and a 17-year-old bug in FreeBSD. These flaws could potentially grant unauthenticated attackers complete root access. According to Anthropic’s technical documentation, the model successfully reproduced vulnerabilities and created proof-of-concept exploits on the first attempt in 83.1% of cases.
Instead of making Mythos publicly available, Anthropic initiated Project Glasswing. This project provides controlled access to over 40 organizations, including:
- Amazon Web Services
- Apple
- Broadcom
- Cisco
- CrowdStrike
- JPMorgan Chase
- Microsoft
- NVIDIA
Anthropic is also offering up to $100 million in usage credits to assist these partners in scanning and securing their critical software systems.
The UK’s AI Security Institute found that Mythos succeeded in expert-level hacking tasks 73% of the time. Independent evaluations suggest that a staggering 99% of the vulnerabilities discovered have not yet been patched. Banks and government agencies worldwide are scrambling to assess the threat, with German banks consulting authorities and the Bank of England intensifying AI risk testing.
Opinions among cybersecurity experts on the severity of the threat are split. Some see it as a pivotal moment for security, while others argue that similar capabilities might be achievable with smaller, openly available models given the proper scaffolding.
Source: Axios