Hackers win record $1.3M at Pwn2Own Berlin 2026

BERLIN — A global hacking competition concluded Saturday with researchers uncovering 47 unique zero-day vulnerabilities across enterprise software and artificial intelligence systems, setting a new payout record of $1,298,250.

The Pwn2Own Berlin 2026 event, organized by TrendAI™ Zero Day Initiative™ (ZDI), saw teams successfully exploit critical flaws in ten target categories. The competition, held at a convention center in Berlin, Germany, drew researchers from DEVCORE Research Team, STARLabs SG, Out of Bounds, and other security firms.

The record-breaking prize pool reflects the increasing complexity of modern software ecosystems. Targets included major technology vendors such as AWS, Microsoft, VMware, OpenAI, and NVIDIA. The vulnerabilities spanned traditional enterprise applications and emerging AI sub-categories, highlighting the expanding attack surface in the sector.

Researchers demonstrated exploits that allowed remote code execution, privilege escalation, and data exfiltration without user interaction. Each successful attack earned cash prizes based on the severity of the vulnerability and the difficulty of the exploit. The total payout surpassed previous records set at similar competitions.

Vendor representatives attended the event to observe the demonstrations and receive technical details for patching. The structured bug bounty format provides companies with advance notice of critical flaws, allowing them to issue security updates before malicious actors can exploit the weaknesses.

The inclusion of AI systems marked a significant shift in the competition's scope. Teams targeted machine learning models and AI-driven interfaces, revealing vulnerabilities that could potentially compromise decision-making algorithms or manipulate outputs. This focus aligns with growing industry concerns about the security of artificial intelligence infrastructure.

Microsoft and NVIDIA representatives acknowledged the findings and confirmed they are working on patches. AWS and VMware also confirmed receipt of vulnerability reports and are coordinating with researchers to address the issues. OpenAI did not immediately comment on the specific exploits demonstrated.

The competition concluded with a ceremony where winning teams received their awards. DEVCORE Research Team secured the largest individual payout for a series of exploits against enterprise software. STARLabs SG and Out of Bounds also achieved significant wins in the AI and cloud infrastructure categories.

Security experts noted that the high number of zero-days discovered underscores the need for continued investment in software security. The event serves as a controlled environment for identifying weaknesses that could otherwise remain hidden until exploited in the wild.

Questions remain regarding the timeline for patch deployment across all affected vendors. Some researchers indicated that certain vulnerabilities may require more extensive remediation efforts, potentially leaving systems exposed for weeks or months. Vendors have not provided specific dates for the release of security updates.

The next Pwn2Own event is scheduled for later in 2026, with organizers planning to expand the target categories further. Industry observers expect continued focus on AI and cloud technologies as these sectors mature and become more integral to global infrastructure.