High-severity CVEs surged 3.5x in June after Anthropic's Claude Mythos Preview launch. Epoch's data shows the spike followed Anthropic's April announcement that Mythos can autonomously discover and exploit vulnerabilities.
Key facts
- 3.5x increase in high-severity CVEs in June 2026
- Mythos Preview announced April 2026
- Previous monthly record before Mythos was lower
- Anthropic restored Mythos access July 1 with security deal
In April 2026, Anthropic announced that its latest internal model (Claude Mythos Preview) was capable of autonomous cybersecurity vulnerability discovery and exploitation According to Epoch. Since then, both Anthropic and OpenAI have launched efforts to use frontier models to harden critical software before malicious actors can use the same models for harm.
The number of Common Vulnerabilities and Exposures (CVEs) jumped significantly following these announcements. Compared to the previous monthly record before the Mythos Preview announcement, the number of high- and critical-severity vulnerabilities increased more than 3.5x in June.
Key Takeaways
- High-severity CVEs jumped 3.5x in June after Anthropic's Mythos Preview launch.
- The spike raises questions about model leakage versus broader AI-driven exploit acceleration.
Two plausible explanations
Hacker News commenters offered two competing theories. One: someone with early access to Mythos leaked it to bad actors. Two: cybercriminals are getting enough mileage from alternative models to create exploits faster, even without Mythos access. The second theory also implicates "vibe-coding degrading software quality at multiple layers" as a contributing factor.
The data alone cannot distinguish between these causes. But the timing — a 3.5x spike immediately after Mythos's capability reveal — leans toward the leak hypothesis, though Epoch's report does not attribute causation.
Industry response
Both Anthropic and OpenAI have pivoted to proactive defense. Anthropic restored public access to Mythos and Fable models on July 1 under a deal requiring proactive security risk detection [per the knowledge graph]. The move signals that frontier labs view autonomous vulnerability discovery as a dual-use capability that requires guardrails.
![]()
OpenAI, meanwhile, proposed giving Washington 5% equity to ease regulatory pressure [as previously reported], suggesting the CVE spike amplifies scrutiny on model release policies.
What to watch
Watch for Anthropic's Q3 vulnerability disclosure report and whether OpenAI follows with similar transparency metrics. If the CVE curve continues rising, expect regulatory demands for pre-release red-teaming mandates on frontier models.

Source: epoch.ai









