ctipilot.ch

2026-05-17-4381863a

One pipeline fire, in full · intel run of 2026-05-17 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-17/2026-05-17-4381863a.md.

Run telemetry

2026-05-17-4381863a intel prompt v2.59
24m 24s duration 7 published 0 updates
Claude Opus 4.7 (claude-opus-4-7) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
8m 09s
Tool calls
18 WebFetch4 WebSearch22 bridge
Cited sources
5 of 27 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
7m 50s
Tool calls
14 WebFetch9 WebSearch12 bridge
Cited sources
7 of 43 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
11m 18s
Tool calls
13 WebFetch22 WebSearch6 bridge
Cited sources
5 of 68 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
8m 36s
Tool calls
14 WebFetch18 WebSearch9 bridge
Cited sources
6 of 25 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.7 (1M context) · t=5 e=1 a=1 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=3 e=0 a=1 #3 NEEDS_FIXES · Claude Opus 4.7 (1M context) · t=4 e=2 a=1 #4 NEEDS_FIXES · Claude Sonnet 4.6 · t=1 e=1 a=0 #5 NEEDS_FIXES · Claude Opus 4.7 (1M context) · t=4 e=0 a=0

Deep dive

2026-05-17/pwn2own-berlin-2026-master-of-pwn-outcomes-the-new-ai-agents

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
cisco-psirthttps://sec.cloudapps.cisco.com/security/center/Publications.x?type=Cisco%20Secuwebfetchrss404 transport-404
Cisco PSIRT RSS endpoint returned HTTP 404; alternate canonical URL probe also failed
none — Cisco PSIRT advisory list unreachable this run; no in-window Cisco advisories required for brief composition

Bridge invocations (this run)

9 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

6 ok2 empty feed1 item not found
  • bridge:url ×2
  • bridge:cisa-kev ×1
  • bridge:ncsc-csh.recent ×1
  • bridge:ncsc-nl.recent ×1
  • bridge:ncsc-nl.csaf ×1
  • bridge:bsi-rss ×1
  • bridge:enisa-euvd.recent ×1
  • webfetch ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 8 findings (truth=5, editorial=1, advisory=1) · Claude Opus 4.7 · 5m 45s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
hallucinated-fact
active-threatsCERT-PL CVE-2026-44088 SzafirHost JAR zip-polyglot bypass
CWE-345 attribution
CWE-345 attribution not in CERT-PL primary; CERT-PL assigns a different CWERemoved the CWE-345 link entirely; kept the technique-class ATT&CK ID reference fixed-degraded
F2
claim-not-supported
deep-divePwn2Own Day 1/Day 2 attribution drift
Viettel popped Cursor / STARLabs SG popped LM Studio / k3vg3n popped LiteLLM Day 2
Three attributions inverted: Viettel hit Codex Day 1 not Cursor; OtterSec hit LM Studio Day 2 (not STARLabs SG); k3vg3n LiteLLM was Day 1 not Day 2Rewrote Day 1 / Day 2 narrative paragraph with correct attributions (Viettel Codex Day 1; OtterSec LM Studio Day 2; k3vg3n LiteLLM Day 1) fixed-clean
F3
claim-not-supported
deep-divePwn2Own Day 3 NVIDIA Container Toolkit attribution
Day 3 ... NVIDIA Container Toolkit use-after-free
NVIDIA Container Toolkit UAF was Day 2 (0xDACA / Noam Trobinski $25K), not Day 3Moved NVIDIA Container Toolkit UAF to Day 2 paragraph with correct attribution and prize amount; removed from Day 3 fixed-clean
F4
claim-not-supported
deep-divePwn2Own Day 1 Ikotas Labs attribution
Ikotas Labs hit Codex via a separate external-control abuse
ZDI marks this as Satoki Tsuji collision ($8K), not Ikotas Labs external-control abuseReplaced with Satoki Tsuji collision attribution per ZDI Day 1 fixed-clean
F5
claim-not-supported
deep-divePwn2Own narrative cohesion
47 unique zero-days, $1,298,250 awarded
Surrounding attribution drift undermines reader trust in the headline; treat as single corrected paragraphFull rewrite of day-by-day paragraph addresses cohesion via F2/F3/F4 fixes fixed-clean
F6
quantifier-without-source
trending-vulnerabilitiesF5 BIG-IP 43 CVEs claim
43 CVEs
SecurityWeek (cited secondary) says 51; F5 K000160932 says different number. Citation backing for '43' was implicit onlyReworked F5 lead to attribute SecurityWeek's '51' and NCSC-NL CSAF's '43 in BIG-IP / BIG-IQ scope' explicitly with attribution to both sources fixed-clean
F7
strengthen-primary-source
trending-vulnerabilitiesCVE-2026-41225 F5 primary source
NCSC-NL listed first
F5 K000160932 is the vendor PSIRT primary; NCSC-NL is a CERT restatementFlipped footer source order: F5 K000160932 as primary, SecurityWeek and NCSC-NL as Additional sources fixed-clean
F8
editorial-advisory
deep-diveAI Agents category coverage list
every AI-agent target fell (OpenAI Codex, Cursor, LM Studio, LiteLLM, NVIDIA Container Toolkit)
Selective list omits Claude Code, Claude Desktop, Chroma, Megatron Bridge, Ollama (collisions); NVIDIA Container Toolkit is a runtime not an agent targetRewrote AI-Agents paragraph and TL;DR bullet to enumerate all targets with their outcomes (exploits + collisions) and remove NVIDIA Container Toolkit from the a fixed-clean

Iteration #2 NEEDS_FIXES · 4 findings (truth=3, editorial=0, advisory=1) · Claude Sonnet 4.6 · 4m 05s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
hallucinated-fact
deep-divePwn2Own Day 1 Satoki Tsuji attribution
Satoki Tsuji's Codex attempt collided
Iter1 F4 remediation introduced new error: Satoki Tsuji actually hit NVIDIA Megatron Bridge ($20K), not Codex; Codex collision was maitai (Doyensec); LiteLLM collision was Ikotas LabsRewrote Day 1 paragraph with correct attributions: Satoki Tsuji NVIDIA Megatron Bridge $20K; maitai/Doyensec Codex $10K collision; Ikotas Labs LiteLLM $8K colli fixed-clean
F2
claim-not-supported
trending-vulnerabilitiesCVE-2026-41225 CVSS discrepancy
CVSS 9.1
SecurityWeek states 8.6; NVD shows both CVSS 4.0 score 8.6 and CVSS 3.1 score 9.1 are valid for same CVE (different scales, not vendor disagreement)Bridge-verified F5 page (JS-gated, used WebFetch + NVD), confirmed both scores exist on different scales. Updated body, heading, TL;DR, CVE table, footer CVSS f fixed-clean
F3
claim-not-supported
deep-diveOtterSec LM Studio technique over-claim
OtterSec popped LM Studio with an SSRF-plus-code-injection chain
ZDI Day 2 lists OtterSec LM Studio as code injection only — no SSRF; SSRF+code-injection belongs to k3vg3n LiteLLM Day 1Removed SSRF prefix from OtterSec LM Studio description in Day 2 paragraph; updated AI Agents paragraph to clarify k3vg3n's LiteLLM is the SSRF chain and OtterS fixed-clean
F4
editorial-advisory
deep-diveViettel Claude Code collision $20K omitted
Day 1 missing Viettel Claude Code collision
Nguyen Thanh Dat (Viettel) hit Claude Code for $20K collision Day 1 — adds AI Agents target coverage completenessAdded Viettel Claude Code collision $20K to Day 1 narrative fixed-clean

Iteration #3 NEEDS_FIXES · 7 findings (truth=4, editorial=2, advisory=1) · Claude Opus 4.7 · 2m 01s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
analytical-link-as-fact
tldrPwn2Own TL;DR bullet OtterSec SSRF claim
LM Studio (OtterSec SSRF+RCE chain)
TL;DR carried OtterSec SSRF+RCE; ZDI Day 1 shows STARLabs SG did the SSRF+code-injection 5-bug chain; OtterSec Day 2 was code-injection onlyUpdated TL;DR to 'LM Studio (OtterSec code-injection Day 2; STARLabs SG separately ran an SSRF+code-injection 5-bug chain on Day 1)' fixed-clean
F2
hallucinated-fact
active-threatsSzafirHost Polish system names
Platforma e-Zamówienia, Portal Informacyjny, KSeF, P1 platform
Specific Polish system names not in CERT-PL or ENISA primary sourcesReplaced specific system names with generic 'Polish public procurement, court e-filing, tax administration and healthcare e-signature workflows' fixed-clean
F3
hallucinated-fact
active-threatsSzafirHost Swiss procurement portal acceptance
accepted by Swiss federal and cantonal procurement portals
Swiss portal acceptance claim not in CERT-PL/ENISA sourceRephrased to general eIDAS cross-recognition across EU member states and Switzerland's eIDAS-equivalent framework, dropping the specific portal-acceptance claim fixed-clean
F4
quantifier-without-source
active-threatsSzafirHost dominant claim
Szafir QES is the dominant Polish qualified signature stack
Other Polish QTSPs exist (Asseco/Certum, Eurocert) — 'dominant' is unsourcedSoftened to 'one of the established Polish qualified signature ecosystems' fixed-clean
F5
claim-not-supported
trending-vulnerabilitiesSecurityWeek phrasing
SecurityWeek tallies 51 high and medium-severity
Actual SecurityWeek phrasing is 'over 19 high-severity and 32 medium-severity'; 51 is the writer's sumUpdated TL;DR and § 2 lead to use SecurityWeek's actual phrasing 'over 19 high-severity and 32 medium-severity' with arithmetic attributed fixed-clean
F6
strengthen-primary-source
active-threatsSzafirHost CVSS source
CVSS: 8.6 in footer with CERT-PL as Source
CERT-PL does not publish numeric CVSS; 8.6 is from ENISA EUVDAdded body sentence explicitly attributing the CVSS 4.0 base 8.6 score to ENISA EUVD EUVD-2026-30512 and noting CERT-PL doesn't publish numeric CVSS fixed-clean
F7
editorial-advisory
deep-diveDay 1 omits Orange Tsai Edge sandbox escape
Day 1 enumeration
Orange Tsai's $175K 4-bug Edge sandbox escape was the day's biggest award and DEVCORE's Master of Pwn foundationAdded Orange Tsai Edge $175K opening of Day 1 narrative; also added STARLabs SG 5-bug LM Studio Day 1 chain fixed-clean

Iteration #4 NEEDS_FIXES · 2 findings (truth=1, editorial=1, advisory=0) · Claude Sonnet 4.6 · 5m 17s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
broken-url
trending-vulnerabilitiesNCSC-NL advisory URL SPA-renderedWebFetch on the SPA advisory URL returns only the redirect shell; URL exists per bridge fetch but isn't independently verifiable by a cold WebFetch readReplaced both NCSC-NL SPA URLs (NCSC-2026-0162 and NCSC-2026-0161) with the canonical CSAF JSON URLs (https://advisories.ncsc.nl/csaf/v2/2026/ncsc-2026-XXXX.jso fixed-clean
F2
claim-not-supported
trending-vulnerabilitiesF5 CVE-2026-41225 CWE attribution
[CWE-250](https://cwe.mitre.org/data/definitions/250.html)
NVD records CWE-648 (Incorrect Use of Privileged APIs) for CVE-2026-41225, not CWE-250 (Execution with Unnecessary Privileges)Changed CWE-250 link to CWE-648 with attribution 'per NVD' fixed-clean

Iteration #5 NEEDS_FIXES cap-breach · 4 findings (truth=4, editorial=0, advisory=0) · Claude Opus 4.7 · 5m 02s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
claim-not-supported
active-threatsFunnelKit Sansec quote attribution
Sansec describes it as
Quote was THN's rephrasing of Sansec, not Sansec verbatimRe-attributed quote: 'per The Hacker News's coverage of Sansec's research' with the exact THN-published quote fixed-clean
F2
quantifier-without-source
trending-vulnerabilitiesF5 BIG-IP NCSC-NL CSAF CVE count 43
43 CVEs in the BIG-IP / BIG-IQ scope
Verifier claimed CSAF lists only 23 CVEs, not 43REBUTTED — main agent re-verified CSAF via tools/fetch_source.py ncsc-nl csaf NCSC-2026-0162: 43 unique CVEs present including CVE-2026-41225. Iter5 verifier wa residual-at-cap
F3
hallucinated-fact
trending-vulnerabilitiesF5 CVE-2026-42406 and CVE-2026-41953 not in CSAF
iControl REST command injection cluster
Verifier claimed CVE-2026-42406 and CVE-2026-41953 not in NCSC-NL CSAFREBUTTED — main agent directly queried NCSC-NL CSAF JSON: both CVE-2026-42406 and CVE-2026-41953 are present in the 43-CVE CSAF list. Iter5 verifier was incorre residual-at-cap
F4
claim-not-supported
trending-vulnerabilitiesDHTMLX CVE-2026-41552 src attribute scope
via the `src` HTML attribute
CERT-PL ties the `src` attribute to CVE-2026-7182 (Diagram), not CVE-2026-41552 (Gantt/Scheduler)Removed `src` qualifier from CVE-2026-41552 sentence; moved it to the CVE-2026-7182 (Diagram) mention fixed-clean

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-05-17-4381863a · Claude Opus 4.7 · window 40 h · 7 entries published

  • Items dropped:
    • GitLab CE/EE 18.11.3 security release — 25 CVEs including CVE-2026-7481 / CVE-2026-7377 / CVE-2026-6073 (CVSS 8.7 stored XSS). Dropped from § 2 because no CVE in the cluster clears any § 2 inclusion gate: not CISA-KEV-listed, no ENISA-EUVD exploited=true entry, top CVSS 8.7 (< 9.0), no public PoC, no in-the-wild exploitation reported. The XSS cluster is post-auth (Developer role required) with victim interaction prerequisite. Recommend operators apply through normal GitLab patch cadence; flagging would be over-weighted given today's competing operational signal. Source for reference: NCSC-NL NCSC-2026-0161, 2026-05-15.
    • FamousSparrow (UAT-9244) Azerbaijani oil & gas three-wave Exchange intrusion (Bitdefender, 2026-05-13). Surfaced by S3 and S4 but the primary publication is from 2026-05-13 — outside both the 40 h recency window and the 72 h developing window. The 2026-05-14 daily deep dive already covered FamousSparrow against the Azerbaijani energy operator; no material new development this run. Source for reference: Bitdefender Business Insights, 2026-05-13.
  • Single-source items: § 3 Kimsuky / PebbleDash / HelloDoor (Kaspersky Securelist as sole source) — included under the HIGH-reliability research-lab carve-out; explicitly flagged [SINGLE-SOURCE] in the item.
  • Items included with reduced confidence (window edge): § 3 Kimsuky item is at the edge of the 72 h developing window (Securelist publication 2026-05-14, ~62 h before run start) — included because the technical novelty (Rust-based PebbleDash variant + TryCloudflare quick-tunnel C2) is defender-actionable and not previously covered.
  • Contradictions: none surfaced this run.
  • Sub-agent timing: all four cti-research sub-agents (S1, S2, S3, S4) returned within budget. S1 → S4 durations 489 / 470 / 678 / 516 seconds, all well under the 30-min hard cap. S3 wrote S3.ended_at but its findings.S3.yaml was finalised at 04:19:21 UTC, with the assistant-text return delivered ~2 minutes after the disk artefact landed (no operational impact — main agent waits on the disk artefact, not the assistant-text return).
  • Coverage gaps: databreaches-net (5 consecutive runs failing 403 — Cloudflare anti-bot, no Wayback corroboration available; covered via primary regulator notices and victim disclosures where present); inside-it-ch (5 runs 403 — Cloudflare-protected, bridge fetches blocked); cisco-psirt RSS endpoint returned 404 in this run (last known good 2026-05-15; main vendor PSIRT page reachable, advisory list not); cert-fr (no new items since 2026-05-13 in the AVI/ACT feeds); cert-eu (most recent advisory dated 2026-05-13, outside the 40 h window); talos (bridge known-403, not attempted in this run — pivoted to other channels; pre-window content only); sophos-xops (HTTP 503 on blog fetch in this run); dfirreport (EtherRat + TukTuk flash alert published 2026-05-11, outside 72 h developing window). One candidate source surfaced by S3 — sansec-research (Sansec, sansec.io — Magecart and e-commerce skimming primary research) — promoted to status: "candidate" in sources/sources.json per the one-candidate-per-run rule.
  • Verification: five Phase 5.7 iterations ran (Opus / Sonnet-alt / Opus / Sonnet-alt / Opus rotation per v2.47); the brief publishes at the v2.46 cap-breach safety valve with the final iteration NEEDS_FIXES (truth=4, editorial=0). Iter1 found 5 truth + 1 editorial + 1 advisory (Pwn2Own attribution drift, F5 source-order, F5 quantifier); iter2 found 3 truth + 1 advisory (Satoki Tsuji attribution, CVSS dual-scale confusion 8.6 vs 9.1, OtterSec LM Studio technique over-claim); iter3 found 4 truth + 2 editorial + 1 advisory (SzafirHost overreach on Polish public-sector specifics, Swiss procurement portal claim, "dominant" quantifier, SecurityWeek phrasing, NCSC-NL CSAF source-attribution gap, Day 1 Orange Tsai Edge omission); iter4 found 1 truth + 1 editorial (NCSC-NL SPA URLs swapped for canonical CSAF JSON URLs, CWE-250 → CWE-648 per NVD). Iter5 residuals retained as the cap-breach record: F1 quote re-attributed (Sansec → The Hacker News citing Sansec, applied); F4 DHTMLX src qualifier scoped to CVE-2026-7182 only (applied). Iter5 findings F2 and F3 were verifier false-positives — main agent re-verified the NCSC-NL CSAF JSON directly (tools/fetch_source.py ncsc-nl csaf NCSC-2026-0162) showing 43 unique CVEs in the BIG-IP / BIG-IQ scope (not 23 as iter5 claimed) and all of CVE-2026-42930, CVE-2026-42924, CVE-2026-42406, CVE-2026-41953 present in the CSAF (iter5 claimed CVE-2026-42406 and CVE-2026-41953 absent). The brief preserves the 43-count and the four-CVE injection cluster as written. verification_residual_count = 4 records iter5's raw counts before this rebuttal-by-direct-CSAF-re-verification.

Migrated from briefs/2026-05-17.md (v2).

← Operations dashboard · day page 2026-05-17 · run-record contract: docs/pipeline.md