GenAI Is Both Hunter and Hunted at Pwn2Own Berlin 2026

Anthropic’s Claude Code is a more recent entry into this field, but immensely popular. It was also a very popular target with four teams going after it. The bugs these teams found were similar and in two cases were deemed collisions with previously found bugs from this competition, underscoring the importance of the luck of the draw.

Perhaps because it is not as popular, Cursor was only faced two attempts from Viettel and STARLabs, resulting in full wins.

In all three of these AI coding tools, problems seem to stem from similar sources that relate to the underlying frameworks that the agents use. Some of these common developer tools have evolved many capabilities that are now liabilities in the GenAI age. There is also some misguided trust when the agents ask the user to accept risks the user  may not be be able to evaluate correctly.

On their own, LLMs have some use, but are susceptible to hallucinations. To deal with this problem, in many GenAI-driven applications we augment the prompt with information retrieved from trusted data sources, and for this we often use vector stores. We call this retrieval-augmented generation (RAG). These allow us to retrieve similar texts by using their vector embeddings to find the closest to the texts we are interested in.

ChromaDB is an open‑source vector-search-oriented database built specifically for AI apps and there are many instances to be found exposed on the Internet. Generally, it seems to be well hardened, but the Out Of Bounds team was able to find a remote exploit. While many exposed Chroma instances are already accessible without credentials, such an exploit may allow access to otherwise protected instances and gain access to the host system. This is particularly troublesome as the data in these databases may be sensitive.

The Oracle Autonomous AI Database target was attempted by one team, but that was a failure.

Nvidia’s Megatron Bridge is a way of converting models back and forth from Hugging Face’s format to Nvidia’s Nemotron format. Four teams attempted this target, with the last team having a collision with a previously found bug. When some software needs to accept input, the attacker can manipulate that input in their attack. According to the teams, many exploits were found even if only one was needed to win in the end.

In the disclosures I was involved in, we asked the contestants about their GenAI use. All used some form of LLM along the way. Nearly everyone used it for the mandatory white paper that must accompany each exploit. In particular, non-English speaking teams found LLMs useful for translation (although some word use was unusual to say the least). Many used some coding agent for the initial bug discovery, although everyone reported a high false positive rate in this phase.

This is not surprising and is similar to ‘ordinary’ bug finding that also results in many dead ends. Some teams reported using GenAI mainly for exploit development, in particular for obfuscating the attack to avoid detection by endpoint detection and response (EDR) systems. During the disclosures I participated in, no one reported using Anthropic Mythos or being a part of an AI security program. Mythos has now been released to the public as Fable 5, although with restrictions that make it not particularly useful for security researchers.

In my personal experience using these agentic harnesses, I found that they help in reading large amounts of code that would take me very much longer by hand. Also, while I can read Python or C++ well, I don’t understand all the nuances of Rust or Go, but an agentic coding harness will not bat an eye. But surprisingly, the underlying mechanics of these harnesses are more rudimentary than one might expect, and involves a lot of ‘grep’-ing, gratuitous use of ‘find’, some simple Python code execution, downloading related content from the internet, etc. No sophisticated use of an SMT solver or program dependency graphs.

The difference is that an agentic coding harness can do the analysis much faster than I can and this is enough to mimic a skilled analyst. When I pushed the coding agent, I found I could get very close to exploits before the agent flags the conversation as a potential policy violation. This was all done without access to the mysterious Anthropic Mythos, but I used a lot of tokens. In the end, I think the harness that drives the GenAI model may be more important than the GenAI model itself.

Read More HERE