Last roundup covered one million exposed AI services, teenagers hacking governments with ChatGPT, and OpenAI launching Daybreak. This week, Anthropic published its first Project Glasswing update — Claude Mythos has found over 10,000 critical vulnerabilities across the world’s most important software, including bugs that survived decades of human review. Meanwhile, Microsoft disclosed how prompt injection in Semantic Kernel became full remote code execution, PraisonAI got targeted by scanners less than four hours after its CVE went public, and Mandiant’s M-Trends 2026 report confirms what defenders have been dreading: the average exploit now arrives a week before the patch.
Glasswing’s First Month: 10,000 Bugs, Fewer Than 1% Patched
Anthropic published its initial update on Project Glasswing, and the numbers are staggering. In its first month of operation, Claude Mythos Preview — the unreleased frontier model at the heart of the program — has identified more than 10,000 high- and critical-severity zero-day vulnerabilities across every major operating system, every major web browser, and a range of other critical software.
The discoveries include bugs that no human ever caught. A 27-year-old vulnerability in OpenBSD. A 16-year-old bug in FFmpeg. Both survived every prior round of human code review and automated testing. Mythos found them anyway.
Working with over 50 technology partners including Microsoft, Apple, Google, and Cloudflare, the program has scanned more than 1,000 open-source projects. Of the issues reviewed, 90.6% were confirmed as legitimate vulnerabilities and 62.4% validated as high or critical severity. Cloudflare alone has found 2,000 bugs — 400 of them high or critical — with a false positive rate the company says is better than human testers. Several partners report their bug-finding rate has increased by more than a factor of ten.
Here’s the problem: of 530 high or critical vulnerabilities reported to maintainers, only 75 have been patched and 65 have public advisories. That’s a patch rate under 15%. Anthropic attributes the gap to still being early in the 90-day coordinated disclosure window, but the bottleneck is now painfully clear. The constraint on software security is no longer finding vulnerabilities — it’s the human and organizational capacity to verify, disclose, and fix them.
Mythos can also construct functional exploits autonomously, which is precisely why Anthropic hasn’t released it publicly. The model remains restricted to defensive consortium members. Anthropic says it plans a public release of a “Mythos-class” bug-finding tool once safeguards are ready, but there’s no timeline. The dual-use risk is obvious: a model that can find and exploit bugs at this scale would be the most powerful offensive cyber tool ever created if it got into the wrong hands.
When Prompts Become Shells: Microsoft Semantic Kernel RCE
Microsoft disclosed two critical vulnerabilities in its Semantic Kernel AI agent framework that turned prompt injection into full remote code execution.
CVE-2026-26030 (CVSS 9.8) was the worst of the two. A vulnerable code path routed attacker-controlled vector store fields directly into a Python eval() call. A single crafted prompt was enough to launch arbitrary commands on the host running the AI agent. If that sentence doesn’t alarm you, consider that Semantic Kernel powers thousands of enterprise AI deployments.
CVE-2026-25592 was subtler but equally dangerous. An internal helper method called DownloadFileAsync was accidentally tagged as a [KernelFunction], exposing it to the LLM with no path validation. A prompt-injected agent could abuse it to escape its Azure Container Apps Python sandbox and download arbitrary files to the host.
Microsoft shipped patches in Semantic Kernel 1.39.4 (Python) and 1.71.0 (.NET), implementing four layers of protection: an AST node-type allowlist, a function call allowlist, a dangerous attributes blocklist, and name node restrictions. If you’re running Semantic Kernel, update immediately.
The broader lesson matters more than the specific CVEs. As Microsoft’s own blog title puts it: prompts are becoming shells. The tool registry in an AI agent framework is functionally an attack surface. Every function exposed to an LLM is a potential entry point for an attacker who can influence the model’s inputs. The security model for AI agents needs to treat tool access with the same rigor as API permissions — and most frameworks aren’t doing that yet.
PraisonAI: From Disclosure to Exploitation in Under Four Hours
The shrinking exploit window isn’t theoretical. PraisonAI, an open-source multi-agent orchestration framework, got scanned by attackers three hours, 44 minutes, and 39 seconds after CVE-2026-44338 was publicly disclosed.
The vulnerability itself is embarrassing. PraisonAI’s legacy Flask API server hard-codes AUTH_ENABLED = False and AUTH_TOKEN = None. Two “protected” routes fail open by design: GET /agents returns configured agent metadata, and POST /chat accepts any JSON body and executes the agent pipeline. No authentication required. Versions 2.5.6 through 4.6.33 were affected.
The first targeted probe was a GET /agents request with no Authorization header and a User-Agent string of CVE-Detector/1.0 — not even trying to be subtle. The fix shipped in version 4.6.34, but anyone running an exposed PraisonAI instance between disclosure and patch was vulnerable to arbitrary agent execution with whatever API keys were configured in agents.yaml.
This is the new normal for AI infrastructure. Deploy an agent framework with default settings, expose it to the internet, and you have hours — not days — before someone tries to take it over.
Mandiant M-Trends 2026: The Exploit Window Has Gone Negative
Mandiant’s M-Trends 2026 report, drawn from 450,000 hours of incident response, makes the threat dynamics quantitatively clear. The mean time-to-exploit for newly disclosed vulnerabilities is now negative seven days.
That’s not a typo. On average, exploitation begins a full week before the vendor patch is publicly available. In 2018, defenders had 63 days between disclosure and exploitation. That window has not just closed — it’s inverted. Nearly a third of CVEs (28.3%) are now exploited within 24 hours of disclosure.
Exploitation of internet-facing systems remained the leading initial infection vector for the sixth consecutive year, accounting for 32% of cases where Mandiant identified the entry point. Many of these were zero-days, weaponized before a patch existed.
The report also flagged a new speed benchmark: 22 seconds. That’s the hand-off time between initial compromise and lateral movement in the fastest cases Mandiant observed. Once inside, attackers are moving to secondary targets almost instantly.
For organizations still running monthly patch cycles or relying on risk-score prioritization, the math is brutal. You’re consistently behind adversaries who are exploiting flaws in the wild before vendors can even respond. Runtime detection and network segmentation aren’t optional anymore — they’re the only things that work when the patch window is negative.
What This Means
The common thread this week is a fundamental mismatch between the speed of offense and the speed of defense. Mythos can find thousands of critical bugs in a month, but the patch rate is under 15%. Semantic Kernel vulnerabilities exposed entire enterprise environments through a feature flag someone forgot to remove. PraisonAI shipped with authentication disabled by default. And Mandiant’s data confirms that exploits routinely arrive before patches.
AI is accelerating both sides of the security equation, but right now offense is winning. Anthropic’s Glasswing program might eventually tip the balance — if defenders can scale their patching infrastructure to match the rate at which AI finds bugs. The 90-day disclosure window, designed for a world where humans found a handful of critical bugs per quarter, is straining under a flood of thousands.
What You Can Do
- If you run AI agent frameworks: Audit every function exposed to your LLM. Treat the tool registry as an attack surface. Update Semantic Kernel to 1.39.4+ (Python) or 1.71.0+ (.NET). Upgrade PraisonAI to 4.6.34+.
- If you deploy AI services: Assume authentication is off by default. Check it. Then check it again. Never expose Ollama, n8n, Flowise, or any agent framework to the public internet without explicit authentication.
- If you manage vulnerability response: Monthly patch cycles are no longer viable for internet-facing systems. Prioritize runtime detection and network segmentation over patch-and-pray.
- If you use frontier AI models: Understand that the same capabilities that find bugs can write exploits. Support responsible disclosure programs and push vendors to patch faster.