Zero Day Initiative web signal

DEVCORE wins Pwn2Own Berlin with $505K amid record AI exploits

cybersecurity coding tools ai-security pwn2own

Key insights

  • Pwn2Own Berlin 2026 set an all-time payout record of $1,298,250 across 47 zero-days in three days.
  • AI tools Cursor, OpenAI Codex CLI, and LiteLLM were all successfully exploited in the competition's first-ever AI category.
  • DEVCORE won Master of Pwn with 50.5 points and $505,000, the largest individual haul at the event.

Why this matters

AI coding assistants and inference middleware like Cursor and LiteLLM are now embedded in production developer workflows at scale, and confirmed zero-days in these tools mean adversaries can potentially compromise code output, exfiltrate context windows, or pivot into developer machines and CI/CD pipelines. The inaugural AI category producing multiple successful exploits in its very first year signals that the security review processes at AI tooling companies have not kept pace with their deployment velocity. For technical leaders evaluating AI tooling adoption, the Pwn2Own results provide the first structured, third-party adversarial benchmark against these products, which procurement and security teams will increasingly reference.

Summary

Pwn2Own Berlin 2026 wrapped its three-day run with DEVCORE claiming Master of Pwn, the competition's top honor, after accumulating 50.5 points and $505,000 in successful exploits. The full event paid out $1,298,250 across 47 unique zero-days, the largest payout in the competition's 19-year history. The headline addition this year was the inaugural AI product category, which saw successful exploitation of Cursor, OpenAI Codex CLI, and LiteLLM across the event. These aren't obscure targets: Cursor has millions of active developer users, Codex CLI is OpenAI's own agent runtime, and LiteLLM is widely deployed middleware sitting between enterprise applications and LLM backends. Day Three alone produced multiple successful attempts against AI coding and inference infrastructure. Essentially: (DEVCORE, ZDI) demonstrated that AI developer tooling and inference infrastructure carry the same class of exploitable vulnerabilities that have plagued browsers and operating systems for decades. - $1.29M paid across 47 zero-days, surpassing all prior Pwn2Own records - AI tools Cursor, OpenAI Codex CLI, and LiteLLM each successfully exploited in the new AI category - DEVCORE's 50.5-point haul secured Master of Pwn outright The fact that the first year AI products appeared in a major adversarial research competition produced this volume of findings is a signal that the security maturity gap in AI tooling is real and measurable.

Potential risks and opportunities

Risks

  • Enterprise teams running LiteLLM as inference middleware between internal applications and LLM APIs could be exposed to lateral movement attacks before a patch ships, given the tool's position as a trusted proxy in production stacks.
  • Cursor's large developer user base means any delayed patch increases the window during which a weaponized variant of the demonstrated exploit could target source code, API keys, or credentials stored in editor context.
  • OpenAI faces reputational risk if the Codex CLI vulnerability is exploited in the wild before disclosure, particularly given the tool's use in agentic and automated coding workflows where human review is reduced.

Opportunities

  • AI-aware application security vendors (Snyk, Socket, Semgrep) gain a concrete, competition-validated argument for AI toolchain security reviews, which should accelerate budget conversations at enterprises already evaluating these tools.
  • LiteLLM competitors and enterprise LLM gateway vendors (Portkey, Helicone, Kong AI Gateway) can use the disclosed vulnerability as a differentiator in procurement conversations over the next 60 to 90 days.
  • Cybersecurity firms specializing in red-teaming and AI system audits (Trail of Bits, NCC Group) are positioned to convert Pwn2Own's AI category results into demand for dedicated AI tooling security assessments from CISOs facing board-level questions about developer AI adoption.

What we don't know yet

  • Full technical details of the Cursor, Codex CLI, and LiteLLM exploits have not been disclosed publicly pending vendor patch windows, so the attack surface and exploitability conditions remain unconfirmed.
  • Whether OpenAI has issued or committed to a timeline for patching the Codex CLI vulnerability demonstrated at the event has not been reported as of May 17, 2026.
  • It is unclear whether enterprise customers running LiteLLM in production have been individually notified by ZDI or the LiteLLM maintainers ahead of public disclosure.

Originally reported by Zero Day Initiative

Read the original article →

Original headline: Pwn2Own Berlin 2026 Concludes: DEVCORE Wins Master of Pwn With $505K, $1.29M Paid Across 47 Zero-Days in Competition's First AI-Category Year