Project Glasswing CVE List 2026: Every Confirmed Vulnerability

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Project Glasswing has disclosed 1,596 vulnerabilities across 281 open-source projects, with 75 patched. This reference covers every publicly confirmed CVE, patch status, and what to do before fixes are available.
How Glasswing Vulnerability Disclosure Works
Anthropic operates a coordinated vulnerability disclosure program accessible at red.anthropic.com/2026/cvd/. When Claude Mythos Preview identifies a vulnerability in a partner's or open-source maintainer's codebase, Anthropic follows standard CVD practice: notifying the vendor, allowing time to develop and distribute a patch, and publishing a public advisory only after a fix is available or the disclosure window expires. This process is the same framework used by Google Project Zero, Microsoft Security Response Center, and other major CVD programs.
The scale of the Glasswing program creates operational pressure on CVD processes that were not designed for this volume. Across 281 open-source projects, Anthropic has disclosed 1,596 vulnerabilities. Of those, 75 have been patched with public advisories, and 65 have published security advisories. The remaining findings are either in active remediation, awaiting vendor response, or under extended embargo for particularly sensitive critical infrastructure software.
The 10,000-plus finding count across all Glasswing partners is a separate, larger number that includes proprietary codebases under partner-specific disclosure agreements. Most of these will not result in public CVEs because the affected software is internal to partner organizations. The publicly accessible CVD dashboard covers only the open-source and publicly distributed software subset.
Patched CVEs: Apply Now
CVE-2026-4747 affects the FreeBSD NFS client. The vulnerability is a memory corruption flaw present in the codebase for 17 years that allows unauthenticated remote code execution against any FreeBSD system with NFS client functionality enabled. It does not require prior authentication or a man-in-the-middle position; a malicious NFS server on a reachable network segment is sufficient. FreeBSD has issued a patch; update via freebsd-update or ports immediately. Any FreeBSD system, including those used as NAS appliances, embedded network devices, or general servers, is affected if NFS client is active.
CVE-2026-5194 is a CVSS 9.1 critical vulnerability in the wolfSSL embedded TLS library. The flaw allows an attacker to present a forged certificate that passes wolfSSL's signature verification without possessing a legitimate private key. Any client application using wolfSSL for TLS validation is vulnerable to impersonation of any HTTPS destination, including banking and email services. wolfSSL has published a patched version; check the wolfSSL security advisory for the specific affected version range and upgrade path.
CVE-2026-7291 is a VMM guest-to-host escape. A process running inside a virtual machine can exploit this flaw to execute code on the host hypervisor. The affected VMM components vary by platform; check the vendor advisory for your specific hypervisor. A patch is available. Prioritize this in any multi-tenant virtualization environment, including cloud provider infrastructure where VM isolation is a security boundary.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Critical Findings Under Active Disclosure
CVE-2026-8834 is a Linux kernel local privilege escalation. Patch development is in progress; a fix has not yet been distributed to all affected kernel versions. Until the patch is available, apply compensating controls: restrict access to the affected kernel subsystem via seccomp profiles, use SELinux or AppArmor policy to limit process capabilities, and monitor for unusual privilege escalation events via auditd. Kernel-level LPE is a top-tier post-exploitation primitive; assume this will be integrated into attack chains once public.
CVE-2026-5519 is a container escape vulnerability in runc, the container runtime used by Docker, Kubernetes, Podman, and all OCI-compliant container environments. A process executing inside a container can use this flaw to break out to the host system. Before a patch is available, limit container capabilities using seccomp and AppArmor profiles, avoid running containers as root, and review your runtime security monitoring for container breakout indicators. Organizations using managed Kubernetes services should check vendor patch availability independently.
The OpenBSD TCP SACK DoS vulnerability is a 27-year-old finding that has not yet been patched. No exploit code is public, but the vulnerability is confirmed by Anthropic's CVD program. OpenBSD deployments used as firewalls, VPN gateways, or network appliances are the primary risk surface. Mitigation before a patch: disable TCP SACK on affected systems where operationally feasible, and monitor for unusual TCP connection patterns. The FFmpeg H.264 vulnerability is a 16-year-old flaw with coordination in progress; avoid processing untrusted video input through FFmpeg until the fix is released.
Other Confirmed Glasswing Findings
Additional confirmed findings from the Glasswing program include several high-severity issues across widely deployed software. An nginx WebDAV module vulnerability allows unauthenticated remote file write to the web root. If WebDAV is enabled on your nginx deployment, disable it immediately or restrict access to authenticated users via IP allowlist. Ghost CMS has a SQL injection vulnerability in the Content API that allows an unauthenticated attacker with API access to extract database contents. Update Ghost and audit your Content API exposure. HashiCorp Nomad has a path traversal vulnerability allowing access to files outside the expected directory scope; apply the available patch and review your Nomad ACL configuration.
FreeRDP has a heap buffer overflow that allows a malicious RDP server to execute arbitrary code on a connecting client. Any endpoint using FreeRDP to connect to remote desktops is at risk if it connects to servers outside the organization's control. Update FreeRDP and avoid connecting to untrusted RDP hosts. ImageMagick has a buffer overflow triggered by a crafted image file; update to the latest patched release and avoid processing user-supplied images through unpatched versions. The Temporal platform has a cross-namespace privilege escalation that allows workflows in one namespace to access data or trigger actions in another; update to the patched release and review your namespace isolation configuration if Temporal is used to separate tenant workloads.
The bottom line
The Project Glasswing CVE list is a moving target. Disclosures are staggered across vendor patch timelines, and the 10,000-plus finding backlog means new public CVEs will continue to emerge through 2026 and beyond. Teams that rely on periodic patch audits will miss the window between disclosure and exploitation for the fastest-moving findings. For a consolidated view of the Mythos capability, the disclosure pipeline, and what the expansion to 200-plus organizations means for your threat surface, read the free Mythos Brief at /mythos-brief.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
Where is the official Project Glasswing CVE list?
The official Anthropic CVD dashboard is at red.anthropic.com/2026/cvd/. VulnCheck also maintains a tracking post at vulncheck.com/blog/anthropic-glasswing-cves that cross-references NVD and vendor advisories. Not all Glasswing findings appear there; most are still under coordinated disclosure embargo. Monitor both sources for updates.
Which Glasswing CVEs are most critical to patch immediately?
CVE-2026-5194 (wolfSSL, CVSS 9.1, certificate forgery affecting IoT and automotive systems) and CVE-2026-4747 (FreeBSD NFS client, unauthenticated RCE, 17 years old) are the highest-priority patched CVEs. CVE-2026-5519 (runc container escape) is critical for any organization running Docker, Kubernetes, or Podman. Patches are available for all three; apply them without waiting for your standard patch cycle.
Does Project Glasswing affect Docker and Kubernetes?
Yes. CVE-2026-5519 is a container escape in runc, which is the container runtime underlying Docker, Kubernetes, Podman, and most OCI-compatible container environments. A successful exploit allows a process inside a container to escape to the host. Organizations running containerized workloads should treat this as a priority patch regardless of whether containers are multi-tenant.
Is CVE-2026-5519 runc actively exploited?
As of the date of this post, CVE-2026-5519 has not been added to the CISA Known Exploited Vulnerabilities catalog. However, runc container escapes are a high-value target for threat actors focused on cloud infrastructure. The combination of Mythos-level exploit development capability and a known public CVE means the window between disclosure and weaponization is shorter than historical norms. Patch or apply mitigations immediately.
How do I monitor for new Project Glasswing CVE disclosures?
Subscribe to the Anthropic security mailing list, monitor red.anthropic.com/2026/cvd/, and set up VulnCheck or NVD notification filters for the keyword 'Glasswing' and Anthropic as the reporting CNA. CISA advisories will capture the highest-severity findings. For open-source projects in your SBOM, configure Dependabot or equivalent to flag newly published CVEs matching your dependency list.
Are any Project Glasswing vulnerabilities in CISA KEV?
Check the CISA Known Exploited Vulnerabilities catalog at cisa.gov/known-exploited-vulnerabilities-catalog for current status. The catalog is updated as exploitation evidence is confirmed. Glasswing CVEs with active exploitation confirmed by CISA would trigger mandatory remediation timelines under CISA BOD 22-01 for federal agencies and are considered urgent for any organization following CISA guidance.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
