Curl maintainer Daniel Stenberg ran Anthropic's Mythos code scanner against the curl codebase. Mythos identified 1 confirmed vulnerability (CVE) and approximately 20 bugs.
Key facts
- Curl maintainer Daniel Stenberg tested Mythos on curl codebase.
- Mythos found 1 confirmed CVE and ~20 bugs.
- Curl is a 25+ year old, heavily-audited codebase.
- Mythos is built on Claude Opus 4.6.
- Test provides independent validation outside curated benchmarks.
Daniel Stenberg, the lead maintainer of curl, tested Anthropic's Mythos code scanner on the widely-used HTTP library. According to his blog post on May 11, 2026, Mythos found one confirmed vulnerability (a CVE) and roughly 20 other bugs. The results provide an early real-world validation of Mythos for security auditing, moving beyond vendor benchmarks.
What Mythos Found
Stenberg's test is significant because curl is a mature, heavily-audited codebase with over 25 years of development. The single CVE is a concrete security flaw that Anthropic's AI detected. The ~20 additional bugs include potential memory safety issues and logic errors. Stenberg did not disclose the CVE details pending patch release [per Stenberg's blog].
Mythos, released by Anthropic in early 2026, is an AI-powered static analysis tool built on Claude Opus 4.6. It competes with GitHub Copilot Autofix, Semgrep, and CodeQL for vulnerability detection. Unlike those tools, Mythos uses a large language model to simulate code execution paths rather than pattern matching.
Independent Validation Matters
The unique take here is that Mythos performed well on a codebase it was almost certainly not trained on. Curl predates modern AI training datasets, and its C code has distinct idioms. Stenberg's test offers a rare independent assessment of Mythos's effectiveness, as most security AI tools are evaluated on curated benchmarks like CWE-119 or Juliet Test Suite. Anthropic has not disclosed Mythos's internal architecture or benchmark suite.
Stenberg's finding aligns with broader trends in AI-assisted security. In March 2026, Google reported that Copilot Autofix found 1.2x more vulnerabilities than traditional SAST on open-source projects. Mythos's performance on curl suggests LLM-based scanners can generalize beyond training distributions.
Limitations
The test was a single run by one developer on one codebase. Stenberg noted that Mythos flagged several false positives, which he filtered manually. The ~20 bugs include issues of varying severity. Anthropic has not published a formal evaluation of Mythos's precision or recall rates.
What to watch
Watch for the CVE disclosure once the curl patch is released. Also monitor Anthropic for a Mythos v2 release with precision metrics, and whether other major open-source projects (nginx, OpenSSL) publish similar third-party Mythos audits.
