Zero Day Initiative · 2026-05-16 · major
Pwn2Own Berlin 2026 — AI Coding Agents and Local-Inference Tools Fall in Their First Outing: $1.3M Paid for 47 Zero-Days as OpenAI Codex, Cursor, Claude Code, LM Studio, and LiteLLM Are All Exploited
Pwn2Own Berlin 2026 added dedicated Coding Agent and Local Inference categories for the first time. Researchers exploited OpenAI Codex, Cursor, Claude Code, LM Studio, LiteLLM, and Ollama, part of $1,298,250 paid for 47 zero-days.

The first Pwn2Own to put AI coding agents and local-inference tools on the target list — and every one of them fell.
Key specs
| Total payout | $1,298,250 |
|---|---|
| Zero days | 47 |
| Contest dates | May 14-16, 2026 |
| Codex bounty | $40,000 |
| Lm studio bounty | $40,000 |
| Lite llm bounty | $40,000 |
What is it?
Pwn2Own is Trend Micro Zero Day Initiative's recurring hacking contest where security researchers earn cash for demonstrating working zero-day exploits against fully patched, real-world software. The Berlin 2026 edition, held May 14-16, was the first to include dedicated Coding Agent and Local Inference categories alongside the usual operating systems, browsers, and enterprise software.
How does it work?
A contestant submits a previously unknown vulnerability and demonstrates it live against a current build of the target within a time limit. A panel verifies the exploit, the vendor receives the technical details under a disclosure window, and the researcher is paid per the published prize table. Coding Agent targets (OpenAI Codex, Cursor, Anthropic Claude Code) and Local Inference targets (LM Studio, LiteLLM, Ollama) each carried $40,000 top prizes, and teams chained multiple bugs to win them on day one.
Why does it matter?
AI coding agents and local model runners now sit in the same threat tier as browsers and operating systems. The contest showed that tools developers run with broad filesystem and shell access can be compromised through bugs nobody had seen before, handing vendors a concrete patch list and giving teams a reason to sandbox these agents rather than trust them.
Who is it for?
security teams, developers running AI coding agents