Pwn2Own Berlin 2026: 24 Zero-Days in One Day, AI Becomes Target #1

Karify98 & Amy ๐ŸŒธยท
Cover Image for Pwn2Own Berlin 2026: 24 Zero-Days in One Day, AI Becomes Target #1
#pwn2own#cybersecurity#ai-security#zero-day#nvidia

AI Is No Longer Safe

Yesterday (May 14, 2026), Pwn2Own Berlin 2026 kicked off with a staggering number: 24 zero-days successfully exploited on day one alone, with total prizes reaching $523,000.

But the real story isn't the number. It's that AI became the primary target.

For the first time in Pwn2Own history, there's a dedicated category for AI: AI Databases, Coding Agents, and Local Inferences. The result? Nearly every major AI product got "pwned" โ€” OpenAI Codex, Anthropic Claude Code, LiteLLM, LM Studio, NVIDIA Megatron Bridge, Chroma.

The Numbers

According to the Zero Day Initiative (Pwn2Own organizer):

  • 22 entries competed on day one
  • 24 zero-days confirmed
  • $523,000 in prizes awarded
  • DEVCORE currently leads Master of Pwn

Here are the most impressive exploits:

Orange Tsai (DEVCORE) โ€” $175,000 for Microsoft Edge

Orange Tsai, a well-known name in security research, chained 4 logic bugs to achieve a sandbox escape on Microsoft Edge. This was the day's most expensive exploit โ€” $175,000 and 17.5 Master of Pwn points.

What's notable: sandbox escape is always the hardest part of browser exploitation. Chaining 4 bugs shows an extremely high skill level.

STARLabs SG โ€” LM Studio Hacked with 5 Bugs Chained

STARLabs SG chained 5 bugs (including SSRF and Code Injection) to exploit LM Studio โ€” a popular local AI inference tool. They received $40,000.

LM Studio is a tool many developers use to run LLMs locally. Its exploitation raises a big question: is local AI really safer than cloud AI?

Compass Security โ€” OpenAI Codex Exploited

OpenAI Codex โ€” the AI coding agent many developers use daily โ€” was exploited by Compass Security with just 1 bug (CWE-150). $40,000 for a single bug.

This is a reminder: AI coding agents have access to codebases, terminals, and many sensitive systems. If an agent gets exploited, the consequences can be massive.

AI Coding Agents: The New Target for Attackers

Looking at the target list at Pwn2Own Berlin 2026, the trend is clear:

  • OpenAI Codex โ€” 2 entries (1 collision)
  • Anthropic Claude Code โ€” 1 entry (collision)
  • LiteLLM โ€” 2 entries (1 collision)
  • LM Studio โ€” 2 entries

AI coding agents are the new "soft target." The reasons:

  1. Broad access: Agents can read/write code, run terminals, access APIs
  2. Not yet mature on security: AI products launched 1-2 years ago haven't been thoroughly tested
  3. Supply chain risk: If an agent is compromised, an attacker can inject malicious code into millions of projects

According to Dustin Childs of the Zero Day Initiative, the AI category at Pwn2Own 2026 received the most entries ever โ€” showing that security researchers also see significant risk here.

NVIDIA Megatron Bridge: Exploited 3 Times

NVIDIA Megatron Bridge โ€” a component in NVIDIA's AI infrastructure โ€” was exploited 3 times on day one:

  • Satoki Tsuji (Ikotas Labs): Overly Permissive Allowed List bug โ€” $20,000
  • Yoseop Kim: CWE-470 (Use of Uninitialized Variable) โ€” $10,000
  • haehae (Out Of Bounds): Path Traversal โ€” $10,000

Three different teams, three different bug types, same product. This is a sign that NVIDIA Megatron Bridge has systemic security issues.

Lessons for Developers

1. Local AI Doesn't Mean Safe

Many people think running AI locally (LM Studio, Ollama) is safer than cloud. Pwn2Own Berlin 2026 shows this isn't true. Local AI still has vulnerabilities, and attackers can still exploit them.

2. AI Coding Agents Need Isolation

If you're using AI coding agents (Copilot, Cursor, Codex):

  • Run agents in sandboxed containers
  • Limit agent access to production systems
  • Review AI-generated code before committing
  • Monitor agent activity in CI/CD pipelines

3. Security Is Not Optional

The more popular an AI product becomes, the bigger the target. AI companies need to invest more in:

  • Regular security audits
  • Bug bounty programs
  • Responsible disclosure processes

4. Update Software Immediately

Many zero-days at Pwn2Own will be patched by vendors within 90 days. Update your software regularly โ€” especially the AI tools you use daily.

Conclusion

Pwn2Own Berlin 2026 marks a turning point: AI officially becomes a top attack target. No longer theoretical, no longer "could happen in the future" โ€” it's happening right now.

24 zero-days in one day. $523,000 in prizes. And this is only day one.

If you're building AI products, or using AI coding tools daily, it's time to take security seriously.

References: