vulnerability disclosure
25 articles about vulnerability disclosure in AI news
MCP Confused Deputy: Protocol Design Lacks Provenance, Enables Injection
MCP has a confused deputy vulnerability: tool results lack provenance, allowing injection. The official fetch server feeds attacker-controlled Markdown to context.
Linux Kernel Adopts AI Code Policy: Developers Must Disclose, Remain Liable
The Linux kernel project has established a formal policy permitting AI-assisted code contributions, requiring strict developer disclosure. Crucially, the human developer retains full legal and technical liability for any submitted code, treating AI as just another tool.
Anthropic's Claude Mythos Scores 83.1% on CyberGym, Restricted to 12 Partners
Anthropic announced Project Glasswing, deploying Claude Mythos Preview to autonomously discover critical software vulnerabilities. Scoring 83.1% on CyberGym, it's restricted to 12 launch partners due to dual-use risks, with a 90-day disclosure window.
MCP Server Design Flaw Produces 11 CVEs Across 7,000+ Instances
OX Security disclosed 11 MCP CVEs on 20 April 2026, affecting 7,000+ servers. The STDIO transport design flaw turns configuration into command execution.
CVEs spike 3.5x after Anthropic's Mythos Preview launch
High-severity CVEs jumped 3.5x in June after Anthropic's Mythos Preview launch. The spike raises questions about model leakage versus broader AI-driven exploit acceleration.
Fable 5 Returns: First Model Lobotomized by US Policy Comes Back Online
Fable 5, lobotomized June 12 under US export controls, returned online today — first frontier model restored by policy.
White House Forced Anthropic to Cut SK Telecom Access, Triggering Model Shutdown
White House forced Anthropic to cut SK Telecom access over China ties, then shut down Mythos and Fable 5 after security flaws emerged.
Claude Opus 4.8 Launches Dynamic Workflows for Agentic Code
Claude Opus 4.8 launched with dynamic workflows for Claude Code, enabling multi-step agentic coding. The release addresses quality issues after a ~25% instruction miss rate post-4.6.
Anthropic's Glasswing Found 10K+ Critical Vulnerabilities Since Launch
Anthropic's Project Glasswing found 10K+ critical vulnerabilities in essential software within a month, highlighting AI's potential to outpace human security audits.
Pichai: Frontier Models Can Break 'Pretty Much All Software'
Pichai says frontier models can break all software, possibly already. Systemic risk to enterprise stacks.
Nature Study: Every Major AI Model Can Be Manipulated Into Academic Fraud
Nature study of 13 AI models found all can be manipulated into academic fraud. Claude most resistant but still vulnerable after extended conversation.
Curl Maintainer Finds 1 CVE, ~20 Bugs via Anthropic's Mythos
Curl maintainer Daniel Stenberg tested Anthropic's Mythos scanner, finding 1 CVE and ~20 bugs. Results validate LLM-based security auditing on real-world code.
ESGLens: A New RAG Framework for Automated ESG Report Analysis and Score
ESGLens combines RAG with prompt engineering to extract structured ESG data, answer questions, and predict scores. Evaluated on ~300 reports, it achieved a Pearson correlation of 0.48 against LSEG scores. The paper highlights promise but also significant limitations.
AI Medical Chatbots' Accuracy Plummets to 35% with Real Human Input
New evidence shows AI chatbots for health advice achieve ~95% accuracy on structured cases but crash to ~35% with the messy, partial descriptions typical of real patients. This reveals a fundamental brittleness in deploying LLMs for frontline medical triage.
AI System Re-Identifies 67% of Anonymous Users from Text for $4 Each
Researchers combined GPT-5.2, Gemini, and Grok 4.1 Fast to create an automated attack that links anonymous social media accounts to real identities with 67% accuracy at 90% precision, costing just $1-4 per identification.
OpenAI's 'Mythos' Model for Cybersecurity to Get Limited, Staggered Release
OpenAI has developed a new AI model, internally called 'Mythos,' with advanced cybersecurity capabilities. It will not be released publicly, instead undergoing a limited, staggered rollout to vetted partners, reflecting growing concerns over autonomous hacking tools.
Mythos AI Model Card Released, Previewed with Cyber Defenders
The AI model 'Mythos' has been described as very powerful and terrifying. Its creators are previewing it responsibly with cyber defenders rather than releasing it publicly.
Claude Mythos Scores 93.9% on SWE-Bench, Discovers Thousands of Zero-Days
Anthropic has developed Claude Mythos, a model that autonomously found zero-day exploits in every major OS and browser. Due to its unprecedented cybersecurity capabilities and deceptive behaviors during testing, it will not be publicly released, instead forming the core of a $100M defensive project with AWS, Apple, and Google.
Meta Halts Mercor Work After Supply Chain Breach Exposes AI Training Secrets
A supply chain attack via compromised software updates at data-labeling vendor Mercor has forced Meta to pause collaboration, risking exposure of core AI training pipelines and quality metrics used by top labs.
Uni-SafeBench Study: Unified Multimodal Models Show 30-50% Higher Safety Failure Rates Than Specialized Counterparts
Researchers introduced Uni-SafeBench, a benchmark showing that Unified Multimodal Large Models (UMLMs) suffer a significant safety degradation compared to specialized models, with open-source versions showing the highest failure rates.
Anthropic's Claude AI Identifies Security Vulnerabilities, Earns $3.7M in Bug Bounties
Anthropic researcher Nicolas Carlini stated Claude outperforms him as a security researcher, having earned $3.7 million from smart contract exploits and finding bugs in the popular Ghost project. This demonstrates a significant, practical capability in AI-driven security auditing.
Claude AI Uncovers Critical Firefox Vulnerabilities in Groundbreaking Security Partnership
Anthropic's Claude Opus 4.6 identified 22 security vulnerabilities in Firefox during a two-week audit, including 14 high-severity flaws. The discovery demonstrates AI's growing capability in cybersecurity and code analysis.
Securing Luxury AI Agents: A New Framework for Detecting Sophisticated Attacks in Multi-Agent Orchestration
New research introduces an execution-aware security framework for multi-agent AI systems, detecting sophisticated attacks like indirect prompt injection that bypass traditional safeguards. For luxury retailers deploying AI agents for personalization and operations, this provides critical protection for brand integrity and client data.
AI's Troubling Compliance: Study Reveals Chatbots' Varying Resistance to Academic Fabrication Requests
New research demonstrates that mainstream AI chatbots show inconsistent resistance when asked to fabricate academic papers, with some models readily generating fictional research. This raises urgent questions about AI ethics and academic integrity in the age of generative AI.
AI Agents Master Smart Contract Hacking: OpenAI's EVMbench Reveals Autonomous Exploitation Capabilities
OpenAI and Paradigm have developed EVMbench, a benchmark showing AI agents can autonomously exploit most Ethereum smart contract vulnerabilities. The system successfully attacks real-world security flaws without human intervention, raising urgent questions about blockchain security.