Pwn2Own Berlin 2026 — OpenAI Codex Exploited, $1.29M in 47 Zero-Days

AI relevance: AI coding assistants are entering enterprise developer workflows at scale — Pwn2Own Berlin 2026 proved that these tools have exploitable attack surfaces, with OpenAI Codex successfully compromised on stage.

Pwn2Own Berlin 2026, hosted during OffensiveCon, concluded with $1,298,250 awarded for 47 unique zero-day vulnerabilities across three days. The contest targeted enterprise technologies, virtualization platforms, AI-powered developer tools, operating systems, and collaboration software.

Key AI-focused result

• OpenAI Codex exploited on stage. Satoki Tsuji of Ikotas Labs demonstrated an exploit against OpenAI's Codex AI coding assistant by abusing an external control mechanism to trigger unintended behavior — successfully launching multiple calculator instances on the host system as a proof of exploitation. The demonstration earned $20,000 and 4 Master of Pwn points.

Other notable results

• VMware ESXi: Nguyen Hoang Thach (STARLabs SG) exploited a memory corruption vulnerability in ESXi combined with the Cross-tenant Code Execution add-on, earning $200,000 — the highest single payout of the event.
• Microsoft SharePoint: splitline of DEVCORE chained two vulnerabilities to compromise SharePoint ($100,000).
• Windows 11: Viettel Cyber Security researchers used an integer overflow for local privilege escalation ($7,500).
• Red Hat Enterprise Linux: Hyunwoo Kim chained a use-after-free with an uninitialized memory flaw for privilege escalation ($5,000).
• Microsoft SharePoint and Apple Safari were not successfully compromised within the time limit — the strict contest rules meant incomplete exploits earned nothing.

Final standings

• 1st — DEVCORE: 50.5 points, $505,000 (Master of Pwn)
• 2nd — STARLabs SG: 25 points, $242,500
• 3rd — Out Of Bounds: 12.75 points, $95,750

Why it matters

AI coding assistants like Codex are being deployed as autonomous agents with file-system access and the ability to execute generated code. A successful exploit in this category means the attack surface extends beyond traditional software — the model-serving infrastructure, tool-calling mechanisms, and sandbox boundaries are all fair game. The Codex exploitation is particularly notable because it demonstrates that AI tooling is now a first-class target category at major offensive security competitions.

All demonstrated vulnerabilities will be disclosed privately to vendors under coordinated disclosure rules.

What to do

• If you're deploying AI coding assistants, ensure they run in properly sandboxed environments with minimal host access
• Review the external control mechanisms your AI tooling exposes — any input channel that influences agent behavior is a potential exploit surface
• Monitor ZDI and vendor advisories for coordinated disclosures from Pwn2Own Berlin 2026 as patches become available
• Consider AI developer tools in your threat model alongside traditional enterprise software

Sources

• Pwn2Own Berlin 2026 concludes — CyberInsider
• ZDI — Pwn2Own Berlin 2026 Day Three Results
• Pwn2Own 2026 detailed coverage — TurboLab