AI/TLDR

Zero Day Initiative · 2026-05-16 · major

Pwn2Own Berlin 2026 — AI Coding Agents and Local-Inference Tools Fall in Their First Outing: $1.3M Paid for 47 Zero-Days as OpenAI Codex, Cursor, Claude Code, LM Studio, and LiteLLM Are All Exploited

Pwn2Own Berlin 2026 added dedicated Coding Agent and Local Inference categories for the first time. Researchers exploited OpenAI Codex, Cursor, Claude Code, LM Studio, LiteLLM, and Ollama, part of $1,298,250 paid for 47 zero-days.

Pwn2Own hacking competition contest floor

The first Pwn2Own to put AI coding agents and local-inference tools on the target list — and every one of them fell.

Key specs

Total payout$1,298,250
Zero days47
Contest datesMay 14-16, 2026
Codex bounty$40,000
Lm studio bounty$40,000
Lite llm bounty$40,000

What is it?

Pwn2Own is Trend Micro Zero Day Initiative's recurring hacking contest where security researchers earn cash for demonstrating working zero-day exploits against fully patched, real-world software. The Berlin 2026 edition, held May 14-16, was the first to include dedicated Coding Agent and Local Inference categories alongside the usual operating systems, browsers, and enterprise software.

How does it work?

A contestant submits a previously unknown vulnerability and demonstrates it live against a current build of the target within a time limit. A panel verifies the exploit, the vendor receives the technical details under a disclosure window, and the researcher is paid per the published prize table. Coding Agent targets (OpenAI Codex, Cursor, Anthropic Claude Code) and Local Inference targets (LM Studio, LiteLLM, Ollama) each carried $40,000 top prizes, and teams chained multiple bugs to win them on day one.

Why does it matter?

AI coding agents and local model runners now sit in the same threat tier as browsers and operating systems. The contest showed that tools developers run with broad filesystem and shell access can be compromised through bugs nobody had seen before, handing vendors a concrete patch list and giving teams a reason to sandbox these agents rather than trust them.

Who is it for?

security teams, developers running AI coding agents

Sources · 3 outlets

Tags

  • pwn2own
  • security
  • zero-day
  • vulnerability-research
  • coding-agents
  • openai-codex
  • cursor
  • claude-code
  • lm-studio
  • litellm
  • ollama
  • local-inference

← All releases · Learn AI