CVE-2026-5194: WolfSSL Certificate Forgery (CVSS 9.1) — Part of 6,200+ AI-Discovered Flaws in Critical Open-Source Infrastructure

Anthropic's Project Glasswing disclosed on May 22–23, 2026 that Claude Mythos Preview autonomously discovered CVE-2026-5194, a critical flaw (CVSS 9.1) in the WolfSSL cryptography library — used extensively in embedded systems, IoT, and TLS stacks — that allows an attacker to forge X.509 certificates and impersonate legitimate services including banking and email domains invisibly. Mythos Preview not only identified the flaw but constructed a working exploit demonstrating certificate forgery. More broadly, Anthropic scanned 1,000+ widely used open-source projects and found 6,202 high- or critical-severity vulnerabilities with a 90.8% confirmed true-positive rate from external security firm review. As of disclosure, only 97 of the initially reported vulnerabilities have been patched upstream, exposing a severe bottleneck: volunteer open-source maintainers are overwhelmed by high-quality AI-generated vulnerability disclosures. The full catalogue of Glasswing-discovered CVEs will be disclosed on a 90-day coordinated disclosure schedule as patches become available.

For CVE-2026-5194 specifically: an attacker with the ability to forge WolfSSL certificates could perform HTTPS impersonation attacks against systems relying on WolfSSL for TLS validation, enabling man-in-the-middle interception without triggering certificate warnings. For the broader Glasswing catalogue: Mythos Preview demonstrated exploit-chain construction — chaining multiple low-severity bugs into single high-severity exploits autonomously, meaning the risk surface from these 6,200+ flaws is significantly higher than the individual CVSS scores suggest in isolation.

WolfSSL cryptography library (all versions prior to patched release — patch status to be confirmed against WolfSSL advisory); 1,000+ open-source projects across the Glasswing scanning programme, collectively underpinning significant portions of internet infrastructure, cloud services, and enterprise software stacks.

For CVE-2026-5194: monitor WolfSSL advisories (https://www.wolfssl.com/docs/security-vulnerabilities/) for the coordinated patch release; apply immediately upon availability. For the broader Glasswing catalogue: subscribe to Anthropic's Glasswing CVE disclosure feed and treat any new Glasswing-attributed CVE as high-priority for triage. Expand vulnerability triage processes to use exploitability context (EPSS scores, KEV status, reachability) rather than raw CVSS alone — the volume of confirmed high/critical disclosures expected over 2026 will overwhelm teams relying solely on severity scoring. Implement compensating controls (strict certificate pinning, mTLS, network segmentation) for systems using WolfSSL in critical paths.