Claude Mythos revealed the hard truth: Your business turnaround process is too slow
In 2024, researchers from the University of Illinois found that GPT-4, when provided with a common vulnerability and exposure (CVE) definition, could automatically exploit 87% of a one-day dataset of 15 vulnerabilities. Without explanation, it can only use 7%. This provided a “measure of safety” to the industry because while AI could exploit known vulnerabilities, it could not detect them.
However, on April 7, Anthropic announced that Claude Mythos Preview closed that margin, with the model automatically detecting thousands of zero-day vulnerabilities across all operating systems and browsers. Separately, Mythos scored 83.1% on CyberGym’s vulnerability productivity benchmark. In one campaign that targeted OpenBSD for every 1,000 scaffold runs, the total cost per computer was less than $20,000.
Times of exploitation are winding down. CVE-2026-33017 (CVSS 9.8) by Langflow was used 20 hours after exposure without public evidence. CVE-2026-39987 (CVSS 9.3) by Marimo was hit in 9 hours and 41 minutes.
The security infrastructure that many organizations rely on was not built for this. Rapid7’s 2026 global threat report states that the average time from the publication of a CVE to the CISA listing known as exploited vulnerabilities (KEV) is five days. Google’s Im-Trends for 2026 the report found that the exploit occurred before the patch was released. When Langflow’s advice was published, the first exploit came in 20 hours. When the Marimo advisory was published, it took less than 10 hours.
Thinking that your patch window is safe because exploitation takes time is no longer true. Here are your building blocks.
Replace CVSS-only prioritization with a three-layer filter
Most risk management programs still prioritize CVSS scores only. CVSS measures the “notional” severity of a vulnerability without considering whether the vulnerability is being exploited in the wild or how quickly someone might exploit it. A CVSS 8.8 vulnerability with a history of active exploitation (such as Docker’s CVE-2026-34040) receives a lower priority than the CVSS 9.8 risk that may not be used in the wild.
A recent research validated against 28,377 real-world defects provides a practical alternative: A three-layer decision tree that combines CISA KEV status, Exploit Prediction Scoring System (EPSS) scores, and CVSS, thus creating a single priority filter.
Three-Layer Priority Filter
Background | Data source | Limitation | Action | The SLA |
1. Active exploitation | CISA KEV Catalog | It’s on the list | Quick fix | Hours |
2. Predictable exploitation | EPSS via FIRST.org | Score ≥ 0.088 | Climb to the Tier 0 pipe | 24 hours |
3. The foundation of resilience | CVSS with NVD | Score ≥ 7.0 | General maintenance | According to policy |
Proven result: 18x efficiency gain, 85.6% coverage of exploited injuries, ~95% reduction in emergency repair work. All three data sources are open and free.
The integration described is completely automatic. It is possible to create a script to query the CISA KEV API, the EPSS API from FIRST.org, and NVD, and have that script match your inventory to every published CVE. The person in this process should stay in the loop as an approver, but not as a trigger.
Close the agent authorization gap
Creating rapid exploits not only changes how patches are prioritized, but how controls are set up across all agent-driven systems that now carry special credentials. Your authorization policies have not been tested against the behavior of AI agents, and that is now a measurable risk. CVE-2026-34040 showed that the Docker authorization plugin silently overrides the rest of the plugin when the request body exceeds 1MB. Standard AuthZ plugins (OPA, Casbin, Prisma Cloud) are not aware of this type of pass, which happens in the Docker middleware before the request reaches the plugin.
When Cyera showed this weaknessthey showed that the infrastructure of an AI debugging agent can get in the way while completing a legitimate task, without any command to exploit anything.
The Internet Engineering Task Force (IETF) is working on models for authorizing agents. Document draft-klrc-aiagent-auth-01published in March by stakeholders from AWS, Zscaler, Ping Identity, and OpenAI, proposes the use of the Secure Production Identity Framework for Everyone (SPIFFE) and OAuth 2.0 for AI agents to obtain dynamically provided and short-lived credentials.
Separately, the IETF Identity Protocol agent draft (draft-prakash-aip-00) reports that out of about 2,000 model research protocol (MCP) servers, none have authentication.
But these standards are months to years away from being implemented. Currently, security teams must continuously include agent-level test conditions for all authorization parameters, such as large requests, burst frequency, and multi-step escalation of privileged requests.
Map the radius of your confirmation burst
In a survey conducted by CSA/Zenity and published on April 16, 53% of organizations said they have already seen cases where AI agents exceeded their intended permissions, and 47% experienced a security incident involving an agent.
Where AI builder tools like The flow (CVE-2025-59528, CVSS 10.0), Langflow, or n8n becomes vulnerable, the radius of the explosion extends beyond the host. These tools contain API keys for front-end models, database credentials, vector store tokens, and OAuth tokens for enterprise systems. The host of AI developers at risk is not just a single system breach. An authentication yield that unlocks authenticated access to every connected service.
Without host authentication dependency maps for each AI tool, the response to an agent compromise incident is guesswork. For each event, list each information, its access level, and the appropriate verification rotation process. Also start migrating static API keys to temporary tokens where upstream services allow.
Five acts of this quarter
1. Use a three-layer KEV-EPSS-CVSS filter
Replace the CVSS priority only according to the table above. Automate data collection from all three APIs as part of a scheduled script against your inventory. Desired result: 18 times more efficient, 85.6% exploited damage coverage, 95% reduction in emergency maintenance burden.
2. Use event-driven paging for Tier 0 services.
Determine which services fall under the critical exposure category: Services directly exposed to Internet users, hosts of AI components, and the orchestration control plane. Initiate event-driven patching of CVE publications instead of waiting for the next maintenance window for this phase.
Goal: submit a patch to the canary within four hours of the CVE being declared critical. Use CISA KEV and EPSS feeds to trigger event-driven patching. In cases where it is not possible to meet the four-hour remediation goal due to legacy dependencies, fixed windows, or rollback vulnerabilities, immediately implement compensatory controls such as removing Internet exposure from the vulnerable service, rotating information about the vulnerable service, disabling the affected functionality of the service (if necessary), and identifying a different owner of the exposure until a patch is released.
It is not acceptable to allow unlimited exposure for a long time while waiting for a repair window.
3. Check the authorization parameters at the agent scale.
Create test cases for every API that AI agents can interact with through AuthZ policies. Specifically, include test cases for applications exceeding 1MB, 5MB, and 10MB physical size. This includes test cases for burst rate > 100 requests per second and test cases for non-standard parameter combinations (special flags, host mounts, extra power). In addition, patch to Docker Engine 29.3.1 to fix CVE-2026-34040.
4. Guaranteed blast radius map for all AI builder hosts.
Write proofs for each example of Langflow, Flowise, n8n, and a custom AI pipeline example. Separate each authentication by its lifetime (static key vs. temporary token). Identify what each detail can achieve. Set up alerts for unknown IP or identity for any authentication access.
5. This week’s Shadow AI detection scan.
According to CSA data, there is more than a 50% chance that your agents will exceed their expected limits. Check your Security Information and Event Management (SIEM) and network monitoring tools for communication with the AI builder’s automated ports: Langflow 7860, Flowise 3000, and n8n 5678. Any unauthorized instances are an unattended attack surface.
The takeaway
AI agents are emerging, and the levels bodies react. The IETF has several drafts related to agent authorization and authorization. I Coalition for Secure AI published it MCP Security taxonomy again Protect-by-Design rules.
But these rates are moving at a physical pace, and the window for exploitation is now measured in hours. Organizations using a three-layer filter and event-driven patching this quarter will have measurable exposure reductions. Those who wait will be using calendar-based patch cycles against an enemy that works for less than 20 hours.
Nik Kale is a principal engineer specializing in AI platforms for business and security
