Pwn2Own Berlin 2026: Hackers breach AI tools and enterprise systems to pocket $1.3 million

At Pwn2Own Berlin 2026, AI security took centre stage as researchers for the first time trained their sights on AI coding assistants alongside traditional enterprise targets. They successfully breached AI tools from OpenAI and Anthropic while collectively earning nearly $1.3 million for exposing 47 previously unknown vulnerabilities across three days of competition.

Pwn2Own is a long-running, prestigious hacking competition organised by the Zero Day Initiative (ZDI), a programme run by Trend Micro that rewards researchers for discovering and responsibly disclosing security flaws.

This year's edition, hosted during OffensiveCon in Berlin, focused heavily on enterprise technologies, including virtualisation platforms, AI-powered developer tools, operating systems, and collaboration software. Competing teams race against the clock to demonstrate working exploits on live systems, with prize money and "Master of Pwn" points awarded for each successful attack.

The final total of the prize tally came to $1,298,250, awarded for 47 unique zero-day vulnerabilities across three days of competition. The top prize went to Taiwanese security firm DEVCORE, which claimed the title of Master of Pwn with a commanding 50.5 points and $505,000, a dominant performance across all three days. STARLabs SG finished in second with 25 points and $242,500, followed by Out Of Bounds in third with 12.75 points and $95,750.

Some of the most lucrative demonstrations targeted core enterprise infrastructure. Nguyen Hoang Thach of STARLabs SG successfully exploited a memory corruption vulnerability in VMware ESXi, combined with the competition's Cross-tenant Code Execution add-on objective, earning $200,000 and 20 Master of Pwn points, one of the most valuable demonstrations of the event.

Microsoft's products also took a beating. Splitline of the DEVCORE Research Team chained together two vulnerabilities to compromise Microsoft SharePoint on stage, earning $100,000 and 10 Master of Pwn points. Meanwhile, researchers from Viettel Cyber Security used an integer overflow vulnerability to achieve local privilege escalation on Windows 11, earning $7,500.

Perhaps the most closely watched category was AI-assisted development tools, a first for the competition in a year when AI coding assistants have become embedded in enterprise workflows. Satoki Tsuji of Ikotas Labs demonstrated an exploit against OpenAI Codex by abusing an external control mechanism to trigger unintended behaviour and launch multiple calculator instances on the host system, a standard Pwn2Own proof-of-exploitation indicator earning $20,000 and 4 Master of Pwn points.

Anthropic's Claude Code also drew multiple attempts on the final day. Emanuele Barbeno and colleagues from Compass Security successfully demonstrated their exploit of Anthropic Claude Code on stage, though it hit a one-vulnerability collision with a previous attempt, earning the team $20,000 and 2 Master of Pwn points.

Similarly, Byung Young Yi of Out Of Bounds successfully demonstrated an exploit of Anthropic Claude Code, though the vulnerability used had been previously disclosed, still earning $20,000 and 2 Master of Pwn points.

As with previous Pwn2Own events, all successfully demonstrated vulnerabilities will be disclosed privately to the affected vendors under coordinated disclosure rules, giving companies time to develop and release security patches before technical details become public.

For the AI industry in particular, the results signal that autonomous coding tools are now firmly in the sights of security researchers and the race to harden them has only just begun.