AI Security on Pfisterer Consulting

Six Hours, Eighteen Years: What NGINX Rift Tells the Mittelstand

Fri, 15 May 2026 07:00:00 +0200

On May 13, 2026, F5 and security researcher depthfirst publish a disclosure with weight behind it. CVE-2026-42945, codenamed NGINX Rift, CVSS 9.2. Unauthenticated remote code execution in the ngx_http_rewrite_module of NGINX. Affected: all open-source versions from 0.6.27 through 1.30.0 and NGINX Plus R32 through R36. The bug has been in the code since 2008. Eighteen years.

The actual punchline sits in the disclosure footnote. The bug was not found by a human researcher. It was found by an autonomous AI analysis system. Six hours of runtime against one of the most thoroughly reviewed open-source codebases on the planet. This is the direct confirmation of the thesis I sketched on May 13 in the article on the Mythos Glasswing asymmetry as something coming. It arrived a week later.

The Glasswing Asymmetry: What Mythos Finds in Firefox and What the Mittelstand Should Learn

Wed, 13 May 2026 07:00:00 +0200

On May 5, 2026, Mozilla publishes an unusually candid blogpost: An early version of Anthropic’s newest model, Claude Mythos Preview, has found 271 security vulnerabilities in Firefox over the past weeks. 180 high-severity, 80 moderate, 11 low. Some of the bugs sat undiscovered in the code for 15 years, meaning since 2011. Patches went out in Firefox 149.0.2, 150, 150.0.1, and 150.0.2.

That alone would be a substantial story. What makes it matter for the German Mittelstand is the footnote: Mythos is not publicly available. Anthropic currently hands the model only to eleven organizations under a program called Project Glasswing. The list contains U.S. hyperscalers, U.S. banks, U.S. security vendors, and the Linux Foundation. No German company. No European company outside Linux.