Between March 13 and March 26, a draft blog post about an unreleased Claude model called "Mythos" sat in Anthropic's content management system with no authentication protecting it. Anyone who knew where to look could read it.
The leak didn't require any sophisticated attack. Anthropic uses Sanity.io, a headless CMS (a content management system where the backend database is separate from the frontend website), to manage their website content. They left unauthenticated read access enabled on their Sanity API, meaning the entire content database was queryable by the public.
How Someone Found It
The Sanity project ID - 4zrzovbb - was discoverable from Anthropic's own public image URLs. With that ID, anyone could hit the API endpoint and query for documents. The leaked article, stored under the document ID featureMythos, described what the author characterized as "a step change in capabilities" for the upcoming model.
The discovery likely came from monitoring Sanity's WebSockets endpoint, which streams all CMS changes in real time. Someone watching that feed between March 13 (when the draft was created) and March 26 (when the leak went public) would have seen the new content appear.
What makes this worse: even after Anthropic deleted the draft, the content remained accessible through Sanity's revision history. Appending ?revision=[id] or ?time=[timestamp] to API queries could pull up deleted documents. The CMS was functioning as designed - it just wasn't designed to be public-facing without access controls.
The Fix
After being notified on the evening of March 26, Anthropic disabled all unauthenticated API access within hours. By the next morning, the vulnerability was closed.
The incident is a textbook example of a class of security mistakes that's increasingly common: misconfigured SaaS defaults. Many headless CMS platforms ship with permissive read access out of the box, and teams that don't explicitly lock down their API endpoints leave draft content, internal documents, and unpublished material exposed. Anthropic isn't the first company to get burned by this, and they won't be the last.
For Anthropic specifically, the damage is limited. The Mythos details are out, but no user data was exposed, and the fix was fast. The bigger takeaway is operational: if you're an AI company where model announcements move markets and shape competitor strategy, your CMS configuration probably deserves the same security scrutiny as your model weights.