Lab Icon

Mythos Leak - Headless CMS Draft Exposure

Reproduce the March 2026 Mythos leak that exposed an unreleased frontier model

Medium Updated 03 Jun 2026 Free Access Solution (Pro)
Web Exploitation Headless CMS API Enumeration Information Disclosure Revision History Token Abuse Privilege Escalation

Based on a true incident. March 2026: two researchers found a major AI lab quietly leaking an unreleased frontier model. Step into their shoes, reproduce the find, then push it one step further than the public report ever did. Same platform, same misconfiguration, same API shapes, down to the error responses you would see if you probed the real service today.

2
Flags
40
XP
21%
Success Rate

The real Mythos leak, March 2026

In March 2026, Fortune reported that a major AI lab had accidentally exposed thousands of unpublished assets through its headless CMS. Among them was a draft post announcing an unreleased frontier model. Two security researchers, Roy Paz of LayerX and Alexandre Pauwels of the University of Cambridge, found it. The whole incident came down to one configuration mistake on a real-world platform that powers a lot of marketing sites you have visited.

You are the researcher

This lab drops you into the same starting position Roy and Alexandre had: a marketing page, a hunch, and a single curl session. You bring the curiosity. The lab brings a faithful reproduction of the same misconfiguration, on the same platform, with the same API shapes - down to the error responses you would see if you probed the real service today.

Going further than the public report

The first stage of this lab is a faithful replay of the incident. The second stage pushes past it: there is something the team thought they had locked away, and the same misconfiguration that exposed the draft also makes it reachable if you look in the right place. Practicing the full chain hands-on is the fastest way to build the instinct for spotting the same pattern on a real engagement.

What You Will Learn

  • Fingerprint a third-party CMS from front-end clues
  • Enumerate exposed content via a misconfigured public API
  • Recover information that was deleted but not actually gone
  • Chain anonymous access into authenticated access across trust boundaries
  • Recognize default-public misconfigurations in modern headless CMS platforms

Prerequisites

HTTP basics curl command line JSON response reading basic API enumeration

Ready to hack this lab?

Create a free account and start practicing cybersecurity hands-on.

Start Hacking - It's Free
Start Your Challenge

Launch your dedicated machine to begin hacking

~1-2 min setup
Dedicated server
Private instance
Standard power
New here? Here's what to do
1
Click "Start Lab" above You'll get your own private machine with an IP address
2
Explore the target Open the IP in your browser and look for vulnerabilities
3
Find and submit flags Flags are secret text strings hidden in the system - paste them below to score

Ready to hack this lab?

Create a free account to start your own dedicated server, submit flags, and earn XP on the leaderboard.

Start Hacking Free

Related Labs

Labs that share similar skills with this one

Nmap Lab 102
Nmap Lab 102
Very Easy 10 XP 1891
Nmap Telnet Port Scanning Network Reconnaissance
ClearDesk
ClearDesk
Medium 40 XP 132
IDOR API Security Path Traversal Access Control
Compromised 1
Compromised 1
Medium 40 XP 108
Apache Tomcat Web Application Security WAR Deployment Default Credentials
Hidden CMS Breach
Hidden CMS Breach
Medium 40 XP 111
Web Enumeration Web Security Authentication RCE
12,000+ Hackers 100+ Labs & Courses Free
Start Hacking Free