Pwn2Own Berlin 2026: 24 Zero-Days in One Day, AI Becomes Target #1

Karify98 & Amy 🌸·May 15, 2026

#pwn2own #cybersecurity #ai-security #zero-day #nvidia

AI Is No Longer Safe

Yesterday (May 14, 2026), Pwn2Own Berlin 2026 kicked off with a staggering number: 24 zero-days successfully exploited on day one alone, with total prizes reaching $523,000.

But the real story isn't the number. It's that AI became the primary target.

For the first time in Pwn2Own history, there's a dedicated category for AI: AI Databases, Coding Agents, and Local Inferences. The result? Nearly every major AI product got "pwned" — OpenAI Codex, Anthropic Claude Code, LiteLLM, LM Studio, NVIDIA Megatron Bridge, Chroma.

The Numbers

According to the Zero Day Initiative (Pwn2Own organizer):

22 entries competed on day one
24 zero-days confirmed
$523,000 in prizes awarded
DEVCORE currently leads Master of Pwn

Here are the most impressive exploits:

Orange Tsai (DEVCORE) — $175,000 for Microsoft Edge

Orange Tsai, a well-known name in security research, chained 4 logic bugs to achieve a sandbox escape on Microsoft Edge. This was the day's most expensive exploit — $175,000 and 17.5 Master of Pwn points.

What's notable: sandbox escape is always the hardest part of browser exploitation. Chaining 4 bugs shows an extremely high skill level.

STARLabs SG — LM Studio Hacked with 5 Bugs Chained

STARLabs SG chained 5 bugs (including SSRF and Code Injection) to exploit LM Studio — a popular local AI inference tool. They received $40,000.

LM Studio is a tool many developers use to run LLMs locally. Its exploitation raises a big question: is local AI really safer than cloud AI?

Compass Security — OpenAI Codex Exploited

OpenAI Codex — the AI coding agent many developers use daily — was exploited by Compass Security with just 1 bug (CWE-150). $40,000 for a single bug.

This is a reminder: AI coding agents have access to codebases, terminals, and many sensitive systems. If an agent gets exploited, the consequences can be massive.

AI Coding Agents: The New Target for Attackers

Looking at the target list at Pwn2Own Berlin 2026, the trend is clear:

OpenAI Codex — 2 entries (1 collision)
Anthropic Claude Code — 1 entry (collision)
LiteLLM — 2 entries (1 collision)
LM Studio — 2 entries

AI coding agents are the new "soft target." The reasons:

Broad access: Agents can read/write code, run terminals, access APIs
Not yet mature on security: AI products launched 1-2 years ago haven't been thoroughly tested
Supply chain risk: If an agent is compromised, an attacker can inject malicious code into millions of projects

According to Dustin Childs of the Zero Day Initiative, the AI category at Pwn2Own 2026 received the most entries ever — showing that security researchers also see significant risk here.

NVIDIA Megatron Bridge: Exploited 3 Times

NVIDIA Megatron Bridge — a component in NVIDIA's AI infrastructure — was exploited 3 times on day one:

Satoki Tsuji (Ikotas Labs): Overly Permissive Allowed List bug — $20,000
Yoseop Kim: CWE-470 (Use of Uninitialized Variable) — $10,000
haehae (Out Of Bounds): Path Traversal — $10,000

Three different teams, three different bug types, same product. This is a sign that NVIDIA Megatron Bridge has systemic security issues.

Lessons for Developers

1. Local AI Doesn't Mean Safe

Many people think running AI locally (LM Studio, Ollama) is safer than cloud. Pwn2Own Berlin 2026 shows this isn't true. Local AI still has vulnerabilities, and attackers can still exploit them.

2. AI Coding Agents Need Isolation

If you're using AI coding agents (Copilot, Cursor, Codex):

Run agents in sandboxed containers
Limit agent access to production systems
Review AI-generated code before committing
Monitor agent activity in CI/CD pipelines

3. Security Is Not Optional

The more popular an AI product becomes, the bigger the target. AI companies need to invest more in:

Regular security audits
Bug bounty programs
Responsible disclosure processes

4. Update Software Immediately

Many zero-days at Pwn2Own will be patched by vendors within 90 days. Update your software regularly — especially the AI tools you use daily.

Conclusion

Pwn2Own Berlin 2026 marks a turning point: AI officially becomes a top attack target. No longer theoretical, no longer "could happen in the future" — it's happening right now.

24 zero-days in one day. $523,000 in prizes. And this is only day one.

If you're building AI products, or using AI coding tools daily, it's time to take security seriously.

References:

Pwn2Own Berlin 2026 — Day One Results — Zero Day Initiative
Hackers Used AI to Develop First Known Zero-Day 2FA Bypass — The Hacker News
Pwn2Own Berlin 2026: 24 Zero-Days Net $523K on Day 1 — Anavem