Key Takeaways

- June 2026 saw 1,500 high-severity and critical CVEs reported, 3.5x the previous monthly record
- The spike began in April 2026, coinciding with Anthropic's Claude Mythos Preview release
- Anthropic's Glasswing program alone has found over 10,000 critical vulnerabilities
Security researchers reported roughly 1,500 high-severity and critical vulnerabilities in June 2026, shattering the previous monthly record by 3.5x. The cause? AI models that can hunt for software bugs without human guidance. Epoch AI traced the surge to April, when Anthropic released Claude Mythos Preview with autonomous vulnerability discovery capabilities.
Twenty-one organizations contributed to June's total, according to Epoch AI's analysis. The timing is hard to ignore. Anthropic announced in April that Claude Mythos Preview could find software vulnerabilities on its own, and the company said trusted partners had already been using the model to identify and patch bugs before public release.

How many vulnerabilities has AI actually found?
Anthropic's internal "Glasswing" program has uncovered more than 10,000 high-severity or critical vulnerabilities to date, with some still unpublished. OpenAI's parallel effort, called "Daybreak," is likely contributing to the flood as well. Epoch AI attributes the jump squarely to AI-driven discoveries, not a sudden increase in manual auditing or a change in reporting practices.
For context, the entire CVE database recorded around 28,000 vulnerabilities in 2023. Historically, about 25% of those qualify as high-severity or critical. A single month matching or exceeding typical annual critical-bug counts signals a fundamental change in how security research operates.
Why the spike started in April
Claude Mythos Preview debuted in April 2026 with a specific claim: it could autonomously scan codebases, identify vulnerabilities, and generate reports without step-by-step human prompting. Anthropic positioned the model for enterprise security teams and bug bounty researchers who needed to audit large code surfaces quickly.
The Glasswing program gave early partners access before public launch. Those partners, according to Anthropic, were already finding and fixing bugs at scale. When Mythos went public, the firehose opened wider. The CVE curve bent upward almost immediately.
What this means for security teams
The good news: more bugs found means more bugs fixed. Software that sat unpatched for years is now getting attention. The bad news: patch fatigue is real. A 3.5x increase in critical CVEs means security teams face a triaging nightmare. Prioritization frameworks that worked at 400 critical bugs per month break down at 1,500.
There's also a disclosure timing problem. Not all 10,000 Glasswing discoveries have been published. Anthropic and its partners are coordinating with vendors before release, but the backlog creates risk. If the model can find these bugs, so can adversaries running similar techniques.
The dual-use question nobody wants to answer
Autonomous vulnerability discovery cuts both ways. Defenders get a powerful scanning tool. Attackers get the same capability if they can access similar models or train their own. Anthropic has restricted Claude Mythos Preview to vetted partners, but the architecture is now proven. Competitors and open-source projects will follow.
OpenAI's Daybreak program suggests the race is already on. Both labs are positioning AI-driven security as a service, but neither has addressed what happens when these capabilities diffuse beyond controlled environments.
Logicity's Take
For AI builders and product teams, this data point should reshape your security roadmap. If you ship software, assume AI-driven scanners will audit your codebase whether you invite them or not. The bug bounty economics have shifted: payouts that made sense when humans spent weeks finding a single critical flaw may not scale when models find dozens in an afternoon. Teams using automated security tools like Snyk, Semgrep, or SonarQube should expect these platforms to integrate LLM-based scanning within 12 months, probably as premium tiers.
What happens next
The CVE spike is unlikely to plateau soon. More organizations are gaining access to Mythos and Daybreak. Open-source security researchers are building their own vulnerability-hunting agents. The infrastructure for AI-assisted auditing is becoming commoditized.
The question isn't whether AI will dominate security research. It already does. The question is whether patch velocity can keep pace with discovery velocity, and whether disclosure norms built for human researchers can survive an era of machine-speed bug hunting.
Frequently Asked Questions
What is Claude Mythos Preview?
Claude Mythos Preview is Anthropic's AI model released in April 2026 that can autonomously discover software security vulnerabilities without step-by-step human guidance.
How many vulnerabilities did AI find in June 2026?
Twenty-one organizations reported approximately 1,500 high-severity and critical CVEs in June 2026, 3.5 times the previous monthly record.
What is Anthropic's Glasswing program?
Glasswing is Anthropic's internal program that gives vetted partners early access to Claude Mythos for vulnerability discovery. It has found over 10,000 high-severity or critical vulnerabilities.
Does OpenAI have a similar security program?
Yes, OpenAI runs a program called Daybreak that is also contributing to the surge in reported vulnerabilities, though specific numbers have not been disclosed.
Will AI vulnerability discovery increase security risks?
It's a dual-use technology. Defenders can find and patch bugs faster, but attackers with access to similar models can discover exploitable flaws at the same speed.
Practical guidance for teams preparing their AI systems for the new vulnerability discovery environment
Need Help Implementing This?
If you're building AI-powered products and need to prepare for the new security landscape, Logicity's consulting team can help you audit your stack, set up vulnerability monitoring, and integrate AI-assisted security scanning into your CI/CD pipeline. Contact us at consulting@logicity.in.
Source: The Decoder / Matthias Bastian
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
Browse all
Bezos AI Lab Gets $10B: What Project Prometheus Means
Jeff Bezos is closing a $10 billion funding round for Project Prometheus, an AI lab focused on physics-based AI for manufacturing and engineering. With a $38 billion valuation and backing from JPMorgan and BlackRock, this signals a major shift in enterprise AI investment toward industrial applications.

Kimi K2.6 Open-Weight AI: 300 Agents at a Fraction of the Cost
Moonshot AI's Kimi K2.6 matches GPT-5.4 and Claude Opus 4.6 on coding benchmarks while running 300 parallel agents. For businesses locked into expensive API contracts, this open-weight model could slash AI infrastructure costs while delivering enterprise-grade automation.




