Anthropic’s Claude Mythos Flags 23K Potential Open-Source Security Flaws | eWeek

Anthropic’s Claude Mythos Flags 23K Potential Open-Source Security Flaws

Anthropic Project Glasswing dashboard in a computer monitor

Image: Generated with Google’s Nano Banana 2.

Written By
Liz Ticong
Liz Ticong
May 26, 2026
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Anthropic’s latest Project Glasswing update carries a warning for the software world.

Claude Mythos Preview flagged 23,019 potential vulnerabilities in open-source projects, with 6,202 estimated as high- or critical-severity. Anthropic said the volume of AI-found flaws is turning verification, disclosure, and patching into the new bottleneck.

AI-powered vulnerability hunting could soon test whether defenders can move as quickly as the models scanning their code.

Many of the AI-found bugs held up

The AI model’s open-source scan covered more than 1,000 projects. A subset went through additional checks by independent security firms or Anthropic itself, and the early validation numbers were substantial:

  • 1,752: High- or critical-rated findings reviewed by outside security firms or internal researchers.
  • 90.6%: Reviewed findings judged to be valid true positives.
  • 62.4%: Reviewed findings confirmed as high- or critical-severity.
  • Nearly 3,900: Projected high- or critical-severity open-source vulnerabilities if current post-triage rates hold.

One example came from wolfSSL, an open-source cryptography library used in billions of devices. Mythos Preview found a now-patched flaw that could have allowed an attacker to forge certificates, potentially making a fake banking or email site appear legitimate to an end user.

Discovery itself is becoming the easier part. “Finding them in the first place has become vastly more straightforward with Mythos Preview,” the AI company said.

Patching could not keep up

Coordinated disclosure is intended to give software teams time to verify flaws, prepare fixes, and allow users to update before details become public. Mythos Preview is testing how well that process works when findings arrive in bulk.

Each report still needs human review. Researchers have to reproduce the issue, rate its severity, check whether a fix already exists, and give maintainers enough detail to repair the code safely. Some maintainers asked Anthropic to slow the pace of disclosures because they needed more time to respond.

Anthropic said it has disclosed 530 high- or critical-severity bugs to maintainers so far, but only 75 have been patched. On average, a bug at that severity level takes about two weeks to fix.

The low patch count partly reflects the early stage of the standard 90-day disclosure window, and some fixes may not yet be visible because not every patch gets a public advisory.

Advertisement

Public release is still off the table

Anthropic has kept Mythos-class models out of general release while using the technology with Project Glasswing partners. Models as capable as Mythos Preview will soon be developed by many AI companies, the Claude-maker warned, making access controls and safeguards more urgent.

Access remains limited because safeguards have not kept pace with capabilities. “No company — including Anthropic — has developed safeguards strong enough to prevent such models from being misused,” the company said.

Near-term access is moving through Project Glasswing instead. The program will expand to more critical partners, including the US and allied governments, while qualifying security teams get defensive tools such as Claude Security, scanning workflows, a codebase-mapping harness, and a threat model builder.

Google’s latest Search headache shows how generative AI can make old spam tactics feel newly dangerous.

Liz Ticong

Liz Ticong is a staff writer for eWeek and TechRepublic focused on AI, cybersecurity, enterprise software, and data. She has more than 10 years of editorial experience as a technology industry writer, combining reporting, product research, and hands-on software testing in her coverage. Her work has been published on Datamation, Enterprise Networking Planet, and TechnologyAdvice.com. She writes technology news, software reviews, product comparisons, and buyer’s guides for business and IT readers.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.