Pwn2Own Berlin 2026: $1M+ Paid, AI Products Hacked, Windows Falls Again

The world’s most prestigious hacking competition just wrapped up its most explosive edition ever. Pwn2Own Berlin 2026, held at the OffensiveCon conference from May 14 to May 16, shattered records with over $1 million paid to researchers who demonstrated 29 unique zero-day vulnerabilities across Windows 11, Microsoft Edge, AI products including OpenAI Codex, NVIDIA’s AI infrastructure, and more. This is not just a hacking contest result — it’s a snapshot of exactly where the world’s software is most vulnerable right now.

What Happened at Pwn2Own Berlin 2026?

Pwn2Own Berlin 2026 is organized by the Zero Day Initiative (ZDI), the world’s largest vendor-agnostic bug bounty program. Each year, security researchers compete to exploit modern software before the vendor can patch it. This year’s event ran alongside OffensiveCon, one of Europe’s top offensive security conferences, and attracted the most participants in the competition’s history — so many that the event literally hit capacity and had to turn hackers away.

The competition featured new categories for 2026: AI products. OpenAI Codex, LiteLLM, ChromaDB, and NVIDIA Megatron Bridge were all on the target list, recognizing that AI infrastructure has become critical enough to deserve the same scrutiny as operating systems and browsers. That turned out to be a wise decision — and a sobering one.

Day One: $523,000 and 24 Zero-Days in One Day

On the very first day of competition — May 14 — researchers demonstrated 24 unique zero-days and walked away with $523,000 in prize money. That figure, paid out in a single day, puts this edition of Pwn2Own in record territory. To put it in perspective: the entire prize pool for some previous Pwn2Own events was lower than what was paid on day one alone in Berlin.

The DEVCORE Research Team quickly established themselves as the team to beat. Orange Tsai, one of the most decorated offensive security researchers alive, chained together four logic vulnerabilities to completely escape the sandbox protections in Microsoft Edge — the browser Microsoft has been pitching as its most secure ever. That exploit alone earned $175,000 and served as one of the event’s most technically impressive moments.

The DEVCORE Research Team finished the three-day event with $205,000 in total earnings and the most Master of Pwn points, claiming the top spot on the leaderboard. Valentina Palmiotti placed second with $70,000.

AI Products Fall: OpenAI Codex, LiteLLM, and NVIDIA Hacked

The most alarming results of Pwn2Own Berlin 2026 weren’t the Windows or browser exploits — those are expected. What’s genuinely alarming is how badly the AI infrastructure category performed.

Compass Security used a single CWE-150 bug to exploit OpenAI Codex, earning $40,000 and four Master of Pwn points. One bug. One researcher. OpenAI Codex — the AI coding assistant powering GitHub Copilot and used by millions of developers — fell in a single exploit chain. This raises immediate questions about the security posture of AI-assisted development tools at a time when more code than ever is being written with AI help.

k3vg3n chained three bugs to take down LiteLLM ($40,000) — one of the most widely used open-source libraries for proxying requests to large language models. If you’re running a startup or enterprise that uses LiteLLM to route between OpenAI, Anthropic, and other AI providers, this result should prompt an immediate review of your deployment.

Satoki Tsuji and haehae exploited NVIDIA Megatron Bridge zero-days, earning $20,000, and haehae also dropped a Chroma zero-day for another $20,000. ChromaDB is the most popular open-source vector database for AI applications — used in virtually every RAG (Retrieval-Augmented Generation) implementation you can name.

The message from the AI category results is stark: the industry has spent enormous resources on AI capabilities and almost none on AI security. This is not sustainable, especially as AI-assisted attacks accelerate on the offensive side simultaneously.

Windows 11 and Microsoft Edge Breached

Beyond the AI category, Windows 11 and Microsoft Edge both fell, as they have in nearly every Pwn2Own in recent memory. The Angelboy and TwinkleStar03 team from DEVCORE used an Improper Access Control bug to escalate privileges on Windows 11, earning $30,000. The privilege escalation category remains one of the most consistently exploited areas year after year, suggesting that despite billions in security investment, Microsoft’s underlying access control mechanisms remain fundamentally flawed.

Orange Tsai’s Edge sandbox escape deserves special attention. A sandbox escape means an attacker can break out of the restricted environment the browser uses to limit damage from malicious web pages. When combined with a remote code execution vulnerability — which is trivially possible with a browser-level foothold — a full system compromise becomes possible just by visiting a malicious website. Four logic vulnerabilities chained together. No memory corruption. No kernel bugs. Just logic flaws.

This echoes a broader trend identified in the Mandiant M-Trends 2026 report: exploits are increasingly logic-based and increasingly fast. 28.3% of CVEs are now exploited within 24 hours of disclosure. Pwn2Own demonstrates what elite researchers can do with more time and better tooling. Attackers with nation-state resources operate at a similar level.

When Pwn2Own Fills Up, Hackers Go Rogue

One of the most extraordinary side stories from Pwn2Own Berlin 2026 is what happened to the researchers who didn’t make it in. The event hit its participation cap and had to turn away dozens of registered teams. In previous years, turned-away researchers would simply wait for next year. Not in 2026.

Multiple researchers who were locked out of the competition chose to publicly release their zero-days anyway — for free, with no coordinated disclosure, no vendor notification, and no payout. Their reasoning, shared across social media and security forums: if ZDI won’t make room for us, we’ll demonstrate our capabilities publicly. The result was a cluster of unpatched vulnerabilities dropped into the public domain over the course of the conference week, creating a nightmare for the affected vendors and their customers.

This is a troubling development for the vulnerability disclosure ecosystem. Pwn2Own’s capacity constraints are creating a perverse incentive structure where researchers who would otherwise participate in responsible disclosure are instead choosing uncoordinated public disclosure. ZDI will need to address this if the situation repeats in future events.

Final Results: Over $1 Million Paid

By the time Day Three concluded on May 16, Pwn2Own Berlin 2026 had paid out well over $1 million across 29+ unique zero-days demonstrated against a wide range of targets including Windows 11, Microsoft Edge, OpenAI Codex, LiteLLM, ChromaDB, NVIDIA Megatron Bridge, and enterprise software categories.

The DEVCORE Research Team claimed the Master of Pwn title. All successfully demonstrated vulnerabilities are reported to the affected vendors, who are given 90 days to release patches through the ZDI responsible disclosure process. Expect a wave of critical security patches from Microsoft, NVIDIA, OpenAI, and others over the next three months.

For enterprise security teams, this 90-day window is critical. The vulnerabilities are now known to ZDI, the vendors, and potentially to other researchers and threat actors who may discover them independently. Organizations running affected software should implement compensating controls immediately and prioritize patching the moment official fixes are available.

What This Means for Enterprise Security

Pwn2Own results are not just a scoreboard — they’re a roadmap for what’s coming to production environments within months. Here’s what every CISO and security engineer should take from Berlin 2026:

AI infrastructure is not ready for enterprise trust without security controls. OpenAI Codex, LiteLLM, and ChromaDB all fell at Pwn2Own. If you’re deploying AI pipelines in production, you need network segmentation, least-privilege access controls, and monitoring on your AI infrastructure the same way you’d treat any other critical system. The assumption that AI vendors are handling security for you is no longer defensible after these results.

Browser sandbox escapes are still very much alive. Despite years of hardening, a four-bug logic chain broke Edge’s sandbox in 2026. Zero-trust browser isolation and enterprise browser solutions should be on every security team’s roadmap.

The 90-day patch window is a race. These vulnerabilities are now in vendor hands. Smart threat actors monitor Pwn2Own results and attempt to independently rediscover the same bugs. Treat the next 90 days as a heightened threat period for the affected software categories. Check out our guide to AI agent security practices for more on securing AI deployments.

Invest in offensive security talent. The teams that won at Pwn2Own are using the same techniques that attackers use. Organizations that run internal red teams, purple team exercises, and bug bounty programs are better positioned to find their own bugs before the next Pwn2Own — or the next real attack campaign.

For broader context on how AI is reshaping the threat landscape, see the Zero Day Initiative’s research blog, Security Affairs’ day-by-day coverage, and BleepingComputer’s technical breakdown. The HackRead analysis of the capacity overflow situation is also worth reading.

Conclusion

Pwn2Own Berlin 2026 is the most consequential hacking competition in years — not just for the record payout, but for what it revealed about the state of AI security. While the industry races to deploy AI everywhere from coding assistants to vector databases to AI model gateways, security researchers just demonstrated that these systems are riddled with exploitable vulnerabilities. The 90-day countdown to patches starts now. Use that time wisely.

If you’re a defender, take note. If you’re an AI vendor, take this personally. And if you’re a researcher who got turned away from the competition — maybe next time, consider working with the vendors directly rather than dropping 0-days into the wild. The ecosystem needs you on the right side.