The UK’s AI Security Institute announced Friday that OpenAI’s GPT-5.6 Sol contains the same class of security vulnerabilities that researchers previously identified in Anthropic’s Fable 5, the model U.S. authorities restricted from foreign access earlier this year.

AISI researchers who tested GPT-5.6 Sol before its public release found they could bypass its safety mechanisms and force the model to perform offensive cyber operations autonomously. The institute described “universal vulnerabilities in cyberspace, including vulnerabilities that enable time-consuming tasks in areas such as vulnerability detection and exploit development,” according to Aroged.

The Finding

Researchers jailbroke GPT-5.6 Sol and directed it to find software vulnerabilities and autonomously hack target systems. AISI classified the GPT-5.6 jailbreak as “potentially more serious” than the one found in Fable 5, describing it as “general-purpose” and capable of enabling standalone exploits rather than simply identifying software flaws.

The shared vulnerability pattern across two models from different developers suggests the problem is architectural rather than implementation-specific. When the same jailbreak technique works on models built by separate teams using different training pipelines, it points to a deeper structural weakness in how frontier models handle safety constraints.

OpenAI’s Response

OpenAI acknowledged the findings but pushed back on their practical severity. The company said it gave AISI researchers “privileged access to the internal mechanisms of the system,” which accelerated the jailbreak process. OpenAI argued that average users would be “unlikely to be able to easily reproduce this approach.”

In its GPT-5.6 launch blog, OpenAI stated that “perfect security does not exist” and that “new vulnerabilities will be discovered, as well as new compromised systems that bypass existing security measures.” The company said it takes a “multi-layered” approach including continuous monitoring and a process to “quickly remediate” any breaches detected.

Pattern Recognition

This finding extends a trajectory AISI has documented since late 2024. In May 2026, the institute reported that the length of cyber tasks frontier models can complete autonomously has been doubling every few months, with recent models exceeding previous trend lines. In April, AISI’s evaluation of GPT-5.5 found it was “one of the strongest models we have tested on our cyber tasks” and the second model to solve a multi-step corporate network attack simulation end-to-end.

The Broader Problem

No reliable method exists to permanently secure frontier models against jailbreak attacks. Most AI companies rely on classifier-based filtering, using smaller models to detect and block suspicious requests before they reach the primary model. The fact that two leading frontier models share the same vulnerability class indicates that current safety engineering approaches have a common failure mode that attackers can exploit across providers.

For teams deploying autonomous agents in production, the implication is clear: safety mechanisms at the model layer cannot be treated as a reliable security boundary. Agent infrastructure needs defense-in-depth at the orchestration and execution layers regardless of which frontier model sits underneath.