The hacking contest Pwn2Own has officially entered the AI era, and this year the technology was on both sides of the fight. At Pwn2Own Berlin 2026, security researchers used large language models and agentic coding assistants to help hunt for bugs, while the same class of tools, including Anthropic's Claude Code, OpenAI's Codex, and Cursor, sat on the target list waiting to be broken. Writing up the event, Trend Micro researcher Morton Swimmer says contestants collectively earned just under 1.3 million dollars, with the richest payouts going to operating system, hypervisor, and browser bugs and a growing share to AI targets.
Pwn2Own, run by Trend Micro's Zero Day Initiative (ZDI), invites researchers to compete at finding fresh vulnerabilities in widely used software and hardware. The Berlin event ran from May 14 to 16 at the OffensiveCon conference. Swimmer took part in the disclosure process for some AI targets and could not discuss specific bugs while they remain under embargo, but offered broader observations.
What got hacked
Across the AI categories, researchers attempted ten targets. In the coding agent category they took aim at all three on offer: Claude Code, Cursor, and OpenAI Codex. In local inference, contestants targeted LiteLLM, LM Studio, and Ollama. In Nvidia's category, the Container Toolkit was successfully attacked by Valentina Palmiotti (Chompie) of IBM X-Force and by a team called PWN2DACA, while the AI database category saw attempts against Chroma and Oracle's Autonomous AI Database.
The same weaknesses keep appearing
Swimmer says the flaws found across Claude Code, Codex, and Cursor traced back to the same root causes: developer tools that are handed too much power, and misplaced trust between AI agents and the humans driving them. Two issues stand out for defenders. Inference servers like Ollama are frequently left exposed on the public internet, and a successful exploit could grant access not just to the model but to the underlying host. The same risk applies to Nvidia's Container Toolkit, which bridges containers to GPUs and could, if abused, let an attacker escape to the host system. Last year's competition produced the first AI-category findings, including a critical use-after-free flaw in Redis (CVE-2025-49844) and a privilege-escalation bug in the Nvidia Container Toolkit (CVE-2025-23266).
Speed, not accuracy
Every team used LLMs somewhere in their workflow, Swimmer notes, but all reported high false-positive rates during discovery. The advantage AI gives bug hunters is speed, not correctness, the same trade-off seen in traditional security research. He warns that vibe coding, where similar AI-generated code spreads across unrelated projects, plus abusable developer tools and ongoing supply chain attacks, will only expand the attack surface heading into next year.
What you should do
Teams running self-hosted AI infrastructure should treat tools like Ollama, LM Studio, and the Nvidia Container Toolkit as sensitive services: keep them off the public internet, patch promptly, and isolate them from critical hosts. The full write-up is available in Trend Micro's original report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.