AI/TLDR

Daniel Stenberg · 2026-05-11 · major

Daniel Stenberg: Mythos Finds a Curl Vulnerability — One Real Low-Severity Bug, Three False Positives, and a Reality Check on AI Vuln Hype

Curl maintainer Daniel Stenberg unpacks the five 'confirmed security vulnerabilities' Anthropic's Claude Mythos reported against curl. After triage: one low-severity bug, three false positives already documented in the API spec, and one ordinary bug.

Stylized illustration of a robot inspecting a computer monitor
Daniel Stenberg / daniel.haxx.se

Anthropic's vaunted security model finds one real curl bug, three already-documented behaviors, and a non-vuln — Stenberg's take on what AI scanners actually do today.

What is it?

Daniel Stenberg, lead maintainer of curl, walks through what happened when the curl team ran Anthropic's Claude Mythos Preview — the security-tuned model behind Project Glasswing — against the curl source tree. Mythos returned five 'confirmed security vulnerabilities.' Triage by the curl team reclassified the set: one genuine low-severity issue that will get a CVE in curl 8.21.0 (late June 2026), three findings that were behaviors already documented in the public API specification, and one ordinary bug rather than a security problem.

How does it work?

Stenberg's framing is structural rather than punitive. Modern AI code scanners — Mythos, AISLE, Zeropath, OpenAI's Codex Security model — all materially outperform pre-LLM tools at finding the well-known classes of memory-safety and logic bugs that a senior reviewer would also flag. What they do not yet do, in his sample, is surface novel vulnerability classes. Mythos's count of confirmed-novel issues in curl this round is zero; comparable AI tools in earlier sweeps reported similar or higher numbers of real bugs.

Why does it matter?

Mythos has been talked about all month as a step-change in offensive cyber capability. Mozilla's 271-bug Firefox post and METR's 16-hour time horizon claim fueled that narrative. Stenberg's piece, from the maintainer of a code base every AI vendor wants to ship a press release about, is the first detailed pushback: on a heavily audited C codebase, Mythos performed at the level of its peers and well short of the marketing. It is also a quiet endorsement of curl's existing fuzzing and review pipeline.

Who is it for?

Security engineers triaging AI-generated bug reports, AppSec leads, Anthropic-watchers, anyone calibrating how seriously to take 'AI found N vulnerabilities' headlines

Sources · 3 outlets

Tags

  • curl
  • claude-mythos
  • vulnerability-discovery
  • ai-security
  • false-positives
  • static-analysis
  • daniel-stenberg

← All releases · Learn AI