Summary
Calif.io’s MADBugs NGINX write-up says Claude correctly flagged CVE-2026-27654, a heap buffer overflow in NGINX’s DAV COPY/MOVE handling under specific alias configuration. Calif.io then worked through exploitability and preconditions with Claude and disclosed the issue to F5 and NGINX maintainers.
The same public-attribution pattern appears in wolfSSL 5.9.1. The release notes credit “Calif.io in collaboration with Claude and Anthropic Research” on eight CVEs across ECCSI signature verification, AES-EAX/CMAC, certificate conversion, PKCS7, X.509 verification, ECH SNI handling, ChaCha20-Poly1305 EVP behavior, and ARIA-GCM.
Why this is grouped
This entry captures an important operating mode: AI did not replace the researchers. It accelerated hypothesis generation and byte-level exploit work, while humans chose which constraints mattered, validated real-world preconditions, and coordinated disclosure.
Caveat
wolfSSL also credits Nicholas Carlini from Anthropic on CVE-2026-5194, a critical certificate-verification issue. This entry does not count that CVE because the wolfSSL release credit does not explicitly say it was found using Claude, even though secondary sources discuss it in the Anthropic/Claude context.
References
- Calif.io: Claude + Humans vs nginx
- wolfSSL release 5.9.1
- VulnCheck: Anthropic-credited CVEs
- CVE record: CVE-2026-27654
Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.