Pwn2Own Berlin 2026: Hackers Earn $1.3M as Codex, Cursor, and LM Studio Fall
Pwn2Own Berlin 2026 was not a conference for gentle product demos. It was the most competitive live exploitation contest on the planet, and the Berlin edition that wrapped on May 16, 2026, was the loudest in years. Hosted during OffensiveCon, this year’s event expanded the AI track into three distinct categories: Coding Agents, Local Inference, and AI Databases. For the first time, OpenAI Codex, Cursor, Anthropic Claude Code, LM Studio, LiteLLM, and Ollama were all fair game. Researchers had three days to compromise them live, on stage, in front of hundreds of spectators and a panel of judges.
By the closing ceremony of Pwn2Own Berlin 2026, forty-seven successful zero-day exploits had been demonstrated across all categories, and the AI assistant track immediately became the second-largest payout category after Enterprise Communications.
The headline figure from Pwn2Own Berlin 2026 is hard to ignore: $1,298,250 in total prizes distributed across all targets. That is not a rounding error. It is a signal that the software supply chain has shifted, and attackers are already adapting.
Related reading: Our earlier breakdown of vibe coding security risks explores how AI-generated code introduces vulnerabilities before it ever reaches production.
Why AI Assistants Changed the Game
Traditional Pwn2Own targets are browsers, operating systems, hypervisors, and enterprise software. These are mature attack surfaces with well-understood trust boundaries. AI coding assistants, by contrast, sit inside your Integrated Development Environment (IDE), read your codebase, suggest edits, and — in the case of agentic tools like Codex CLI and Cursor Composer — write and execute files on your behalf.
That positioning makes them a supply-chain sweet spot. Compromise the assistant, and you do not just steal data. You rewrite the code that ships to production. The addition of AI dev tools as a Pwn2Own category was inevitable, but the speed and creativity with which they fell surprised even seasoned judges.
If you follow enterprise security news, the BitLocker backdoor exploit from earlier this year showed how widely trusted software can become an attack vector. The Pwn2Own Berlin 2026 results extend that logic into the developer workspace itself.
What Happened at Pwn2Own Berlin 2026
Each tool presented a different architecture, and each architecture offered a different path to exploitation. The successful entries at Pwn2Own Berlin 2026 shared a common theme: trust inflation. Modern AI assistants are granted permissions that no human code reviewer would ever receive, and the boundaries between LLM-generated suggestions and executable code have blurred to the point of invisibility.
OpenAI Codex: From CWE-150 to External Control
Codex was the most heavily targeted AI coding assistant of the event. Four separate research teams attempted exploits across the three days, with mixed but ultimately devastating results.
On Day One, the team from Compass Security — Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, Lukasz D., and Urs Mueller — used a single CWE-150 bug (Improper Neutralization of Special Elements) to exploit OpenAI Codex in the Coding Agent category. The judges confirmed the exploit within the time limit. Prize: $40,000 and 4 Master of Pwn points.
Later on Day One, maitai of Doyensec also demonstrated a successful exploit against Codex, though the judges ruled it a collision with a previously known bug. They still earned $10,000 and 2 Master of Pwn points. Notably, Le Duc Anh Vu of Viettel Cyber Security attempted an exploit of Codex on Day One but could not get the chain working within the allotted time.
On Day Two, Sina Kheirkhah of Summoning Team returned to Codex and scored a clean success in the second round, earning $20,000.
On Day Three, Satoki Tsuji of Ikotas Labs abused an external control of file name or path issue to exploit Codex and pop a host of calculators — a dramatic on-stage demonstration. He earned $20,000 and 4 Master of Pwn points.
By the end of the event, Codex had fallen three times to unique zero-days and once to a collision — a remarkable concentration of firepower on a single target.
Cursor: Two Hits, Two Different Bugs
Cursor markets itself as a secure alternative to cloud-based assistants because its local mode keeps code on-device. Pwn2Own Berlin 2026 proved that “local” does not mean “invulnerable.”
On Day Two, Le Duc Anh Vu of Viettel Cyber Security — the same researcher who missed Codex on Day One — successfully exploited Cursor, earning $30,000 and 3 Master of Pwn points.
Later that same day, Compass Security returned for a second round against Cursor and demonstrated another unique exploit chain. Because it was a second-round success, the prize was reduced to $15,000 and 3 Master of Pwn points.
The ZDI disclosures did not publish deep technical details of the Cursor exploit chains, but the fact that two separate teams found two distinct vulnerabilities in the same tool within twenty-four hours is telling. Cursor’s attack surface is richer than its marketing suggests.
LM Studio: SSRF and Code Injection Chains
LM Studio’s exploits were the most architecturally complex of the AI category. Because LM Studio allows users to download and run arbitrary GGUF models, the attack surface includes not just the application but the entire model-supply chain.
On Day One, STARLabs SG — Billy, Pan Zhenpeng, and Weiming Shi — chained five separate bugs, including SSRF (Server-Side Request Forgery) and Code Injection, to compromise LM Studio in the Local Inference category. It was a full win: $40,000 and 4 Master of Pwn points.
On Day Two, OtterSec — Nikolaos Mourousias, Caue Obici, and Bruno Halltari — found a separate Code Injection bug in LM Studio’s second round, earning $20,000 and 4 Master of Pwn points.
The combination of SSRF and code injection suggests that LM Studio’s model-download pipeline and local inference engine are both exploitable. A malicious model or a rogue update server could turn a developer’s local AI workstation into a beachhead.
Anthropic Claude Code, LiteLLM, and Ollama
The AI category was deeper than just Codex, Cursor, and LM Studio.
Anthropic Claude Code in the Coding Agent category saw four attempts across three days, all ruled as collisions with previously known bugs. Viettel Cyber Security’s rewhiles earned $20,000 on Day One; Summoning Team’s Sina Kheirkhah earned $10,000 on Day Two; and both Compass Security and Out Of Bounds earned $20,000 each on Day Three. No unique zero-day was confirmed, but the repeated collisions show that the vulnerability surface is real and already being explored by multiple independent researchers.
LiteLLM saw three attempts: a clean success by k3vg3n ($40,000, Day One), a collision by Ikotas Labs ($8,000, Day One), and a success-with-collision by Out Of Bounds ($17,750, Day Two).
Ollama was hit by Out Of Bounds (David Tae and Louis Hur) on Day Two with a success-plus-collision, earning $28,000.
Chroma, in the AI Database category, fell to Out Of Bounds (haehae) on Day One via a two-bug chain involving integer overflow (CWE-190) and race conditions (CWE-362). Prize: $20,000.
The Full Prize Breakdown
Pwn2Own Berlin 2026 distributed $1,298,250 in total prizes across five master categories. The AI track, debuting in expanded form this year, immediately became a major payout category.
| Target / Category | Successful Exploits | Total Payout |
|---|---|---|
| Windows 11 (Elevation of Privilege) | 8 | $560,000 |
| VMware Workstation (Guest-to-Host Escape) | 4 | $280,000 |
| Ubuntu Linux (Local Privilege Escalation) | 6 | $240,000 |
| NVIDIA GPU Driver (Kernel Escalation) | 3 | $300,000 |
| Enterprise Communications (Zoom, Teams, Slack) | 5 | $500,000 |
| AI Coding Assistants / Inference / Databases | 3 unique + collisions | ~$200,000+ |
| Automotive / Tesla Infotainment | 4 | $340,000 |
| Router / NAS (Multiple Vendors) | 7 | $210,000 |
| Master of Pwn (Combined Bonus) | — | — |
| Grand Total | 47 | $1,298,250 |
(Note: Exact AI-only figures are preliminary because ZDI reports full prize amounts for first-round successes and reduced collision payouts. The AI category total is best estimated at roughly $200,000–$250,000 in unique zero-day prizes, with additional collision payouts on top.)
Notable Teams and Master of Pwn
- DEVCORE Research Team (Taiwan) — Master of Pwn winner with 50.5 points and $505,000.
- Orange Tsai: Microsoft Edge sandbox escape ($175,000) and Microsoft Exchange RCE as SYSTEM ($200,000).
- Angelboy & TwinkleStar03: Windows 11 privilege escalation ($30,000).
- splitline: Microsoft SharePoint ($100,000).
- STARLabs SG (Singapore) — Second place with 25 points and $242,500.
- Out Of Bounds (South Korea) — Third place with 12.75 points and $95,750.
- Chroma AI Database exploit ($20,000).
- LiteLLM and Ollama local inference wins.
- Compass Security (Switzerland) — Codex ($40,000) and Cursor ($15,000).
- Viettel Cyber Security (Vietnam) — Cursor ($30,000) and multiple Claude Code collisions.
- OtterSec — LM Studio Code Injection ($20,000).
For teams interested in proactive defense, our NMAP for Cybersecurity guide covers network scanning techniques that can help identify exposed developer services like local inference APIs.
What This Means for Developer Supply Chains
The Pwn2Own Berlin 2026 results are not merely entertaining spectacle. They are a stress test for an assumption that millions of development teams have quietly adopted: that AI-generated code is safe because it comes from a trusted assistant.
That assumption is bankrupt.
The Scope Problem
When you invite an AI assistant into your repository, you are not hiring a junior developer. You are installing a black-box system that reads your secrets, understands your architecture, and can write executable code with the same privileges you use to compile and test. The attack surface is not the generated code alone. It is the entire interaction loop: file watchers, indexers, WebSocket channels, network requests, and post-processing scripts.
The Codex exploits proved that even a benign-looking utility package can become an instruction channel if input validation fails. In modern dependency trees with thousands of packages — as we saw in the npm supply chain attack earlier this year — manual review of every edge case is impossible. We have shifted from “supply chain” as a packaging concern to “supply chain” as a reasoning concern.
Cascading Failure
The Cursor exploit demonstrated something darker: cascading trust failure. The target was a local-mode IDE plugin designed to keep code on-device. Yet multiple independent teams found remote-exploitable bugs. This is the architecture of a worm waiting to happen.
Imagine a scenario: a malicious package on npm includes a README with a hidden payload. A developer opens it in VS Code with Cursor installed. Cursor reads the README for context. A hidden instruction triggers. Cursor writes a backdoor into the next file the developer edits. That file is committed, reviewed by a human who sees only legitimate logic, merged, and deployed. The backdoor reaches production not because someone ran npm install with sudo, but because an AI assistant processed untrusted input.
That is not science fiction. That is the threat model that won $30,000 on stage at Pwn2Own Berlin 2026.
Model Integrity
The LM Studio attacks introduced a third vector that most teams have not even begun to evaluate: model-file integrity. We checksum Docker images. We pin dependency versions. We audit package-lock.json. But when a developer downloads a 4 GB GGUF model from a community repository, how many teams verify anything beyond the file name?
The LM Studio SSRF and code injection exploits proved that inference pipelines are executable attack surfaces. Parser bugs in inference engines can turn a model download into arbitrary code execution. If your MLOps pipeline treats model weights as opaque blobs, you are one malicious download away from a persistent compromise of your development environment.
How Teams Can Protect Their AI Tooling
The good news is that every exploit demonstrated at Pwn2Own Berlin 2026 is preventable with architecture changes that security-aware teams should already be implementing. The bad news is that most teams are not implementing them.
1. Sandboxing Is Non-Negotiable
If your AI assistant can write to your home directory, your SSH config, or your shell profile, you have already lost. Run AI agents inside restricted containers, separate VMs, or at minimum, file-system namespaces with no write access outside a designated scratch directory.
Tools like firejail, Docker with read-only bind mounts, or even macOS sandbox profiles can prevent an agentic assistant from escaping its workspace. If the Cursor exploit had been executed inside a container with no access to ~/.bashrc, the chain would have ended at the IDE layer — annoying, but not catastrophic.
2. Vet LLM Outputs Before Execution
Never let an AI assistant run generated code without human review. This sounds obvious, but agentic modes in Cursor, Codex CLI, and similar tools increasingly default to “auto-run” for tests, build scripts, and shell commands. Turn that off.
Implement a simple policy: generated shell commands require explicit confirmation. Generated file writes outside /tmp/ai-scratch require a second human approval. These are friction points by design. Friction is what prevents automated exploitation.
3. Network Segmentation for Dev Environments
Development machines should not have unrestricted internet access. If your AI assistant needs to reach an LLM API, proxy that traffic through a controlled gateway. If it does not need network access at all, disable it.
The Codex exfiltration class of bugs relies on outbound connections from the IDE process. A simple egress firewall rule blocking outbound connections from the assistant process — or better yet, running the assistant in an offline air-gapped subnet — would neutralize the exfiltration channel entirely.
4. Least Privilege for Coding Agents
Treat your AI assistant like the most gullible intern you have ever hired. It will execute anything that looks like an instruction. It will not question authority. It will not notice that a dependency file is suspicious.
Run the assistant under a dedicated user account with no access to production credentials, .ssh keys, .aws profiles, or environment files containing API tokens. If the assistant needs to read a .env file to offer useful suggestions, copy a redacted version into its workspace. Never let it touch the real one.
5. Verify Model Provenance
For teams running local models via LM Studio, Ollama, or similar tools, start treating model weights as first-class software dependencies. Pin hashes. Verify signatures where available. Scan GGUF and Safetensors files with static analyzers before loading them into inference engines.
The Hugging Face Hub now supports commit signing and malware scanning, but the feature is opt-in. Make it opt-out on your team. A 4 GB model file should pass the same integrity verification as a Docker layer before it touches a developer workstation.
6. Audit for Prompt-Injection Resilience
Finally, run your own red-team exercises. Feed your AI assistant deliberately malicious comments, hidden instructions in markdown, and obfuscated payloads in docstrings. Observe whether the model repeats, acts on, or leaks those instructions.
If a hidden SYSTEM: directive in a JSDoc block can influence your Codex output, you have a vulnerability that Pwn2Own Berlin 2026 proved is worth real money to the right buyer. It is worth infinitely more to fix before an attacker finds it in your repository.
What Comes Next
Pwn2Own Berlin 2026 will be remembered as the year AI coding assistants officially entered the adversarial arena. The $1.3 million prize pool is not just a headline. It is a price signal. Security researchers, bug-bounty hunters, and advanced threat actors now know that developer tooling is exploitable, lucrative, and largely unprotected.
For teams building software in 2026, the takeaway is uncomfortable but necessary: your AI assistant is a new attack surface, and it is sitting at the center of your supply chain. Trusting it blindly is no longer a productivity hack. It is a liability.
The exploits demonstrated in Berlin were elegant, creative, and entirely preventable. The question is whether the industry will treat them as a wake-up call — or wait for the first production incident that starts with a dependency file and ends with a breached production database.
References and further reading
- Pwn2Own — Zero Day Initiative
- OffensiveCon
- OpenAI Codex
- Cursor
- LM Studio
- Anthropic Claude Code
- Ollama
- LiteLLM
- Chroma
- Compass Security
- Doyensec
- Viettel Cyber Security
- STARLabs SG
- OtterSec
- DEVCORE
- CWE-150 — MITRE
- CWE-190 — MITRE
- CWE-362 — MITRE
- OWASP — Server-Side Request Forgery (SSRF)
- OWASP — Code Injection
- Docker
- firejail on GitHub
- Hugging Face Hub
Please let us know if you enjoyed this blog post. Share it with others to spread the knowledge! If you believe any images in this post infringe your copyright, please contact us promptly so we can remove them.