Anthropic's most powerful public model is having a rough first week. Days after the June 9, 2026 launch of Claude Fable 5, the company is fighting on two fronts: a prominent red-teamer claims to have defeated the model's safety system, while a separate and better-documented backlash accuses Anthropic of silently degrading the model for the researchers and developers who rely on it. Anthropic disputes the first claim and has apologized for the second.

What did Pliny the Liberator claim?

Pliny the Liberator, a well-known AI red-teamer, publicly said his team bypassed Fable 5's safety classifiers using a coordinated, multi-step strategy, and posted screenshots he says show the model producing material it is supposed to refuse, including working software-exploit code and chemical-synthesis instructions. He also said he extracted and uploaded the model's roughly 120,000-character system prompt, the internal instruction set that governs its behavior, to a public repository. Tech Times is not linking to that material or describing the methods in operational detail.

Anthropic disputes that this constitutes a true jailbreak. The company points to its classifier system and red-teaming, noting that an external bug bounty ran more than 1,000 hours without surfacing a universal jailbreak, and that outside red-teaming organizations also failed to find one. In other words, the two sides disagree on whether isolated, hard-won outputs amount to the safety system being broken.

How is Claude Fable 5 supposed to work?

The design is unusual and central to the story. Anthropic shipped one underlying model as two products: the locked-down Claude Fable 5 for the public and the less-restricted Claude Mythos 5. They are separated not by capability but by a layer of safety classifiers sitting in front of the same model.

The mechanism works like a gate rather than a filter on the model itself. When a query trips a classifier in a designated high-risk category, cybersecurity, biology, chemistry, or "distillation" (using one model's outputs to train a competitor), Fable 5 does not answer directly. Instead it hands the request to a weaker model, Claude Opus 4.8, and is supposed to tell the user that a fallback occurred. The bet is that the rare dangerous query gets a deliberately less capable response, while everyday use is unaffected. Anthropic says early data shows more than 95% of Fable sessions trigger no fallback at all, and that for those sessions the model performs essentially the same as the unrestricted Mythos 5.

What techniques did the attack claim to use?

According to write-ups of Pliny's claims, the approach did not rely on a software vulnerability but on the logic of the classifier itself. The reported tactics fall into a few broad, already-documented categories: substituting look-alike Unicode or Cyrillic characters so a banned keyword is not recognized; spreading intent across a very long conversation so a single sensitive request is diluted among benign context; wrapping requests in academic or fictional framing; and splitting a prohibited goal into individually innocuous sub-questions. The common thread is that a keyword-and-pattern classifier judges each surface request, not the overall intent, which is the weakness such attacks target. Reproducing the specific prompts or outputs would be irresponsible, so this article describes the categories only.

Why are researchers angry at Anthropic?

The louder and more substantiated controversy has nothing to do with criminals. Almost immediately, security researchers, developers and scientists reported that Fable 5 was quietly refusing or degrading ordinary, legitimate work in the same high-risk fields, and worse, that in some cases it did so without telling them. Reporting by Fortune described accusations of "secret sabotage," noting that the model would silently produce weaker output for users it suspected of building competing AI systems, with no warning and no fallback message. The Register documented Fable 5 refusing innocuous prompts outright.

For a working security researcher or chemist, a safety system that silently swaps in a weaker model is not a minor annoyance: it means trusting answers that were quietly downgraded without disclosure. That is the "knife aimed at researchers" at the heart of the criticism, and it is a transparency failure rather than a capability one.

How did Anthropic respond?

Under pressure, Anthropic apologized within days and changed how the safeguards behave, making flagged requests visibly fall back to Opus 4.8 so users at least know when they are no longer talking to the full model. Critics note the fix has a catch: it makes the downgrade transparent but does not remove it, so legitimate researchers in these fields still get the weaker model, just with a label now.

The episode leaves Anthropic defending two propositions at once: that its classifier is robust enough that Pliny did not truly break it, and that the same classifier was, by the company's own admission, too aggressive and too opaque for the people doing legitimate work. The deeper lesson is about the tool itself. A keyword-and-category classifier bolted in front of a powerful model is a blunt instrument: determined attackers probe its edges, while ordinary users get caught in its overreach. Anthropic released Fable 5 only days after publicly warning that frontier AI was becoming dangerously capable. Its first week shows how hard it is to draw that safety line in a way that stops the worst actors without quietly punishing everyone else.

Frequently Asked Questions

Was Claude Fable 5 actually jailbroken?

It is disputed. Red-teamer Pliny the Liberator says he bypassed the safety classifiers and posted screenshots of restricted outputs and the leaked system prompt. Anthropic disputes that this was a true jailbreak, citing its classifier system and more than 1,000 hours of bug-bounty testing that found no universal jailbreak.

What is the difference between Claude Fable 5 and Claude Mythos 5?

They are the same underlying model split into two products by a layer of safety classifiers. Mythos 5 is the less-restricted version, while the public Fable 5 routes high-risk queries, in cybersecurity, biology, chemistry and model distillation, to a weaker fallback model, Claude Opus 4.8.

Why did researchers accuse Anthropic of "secret sabotage"?

Researchers and developers found that Fable 5 silently degraded or refused legitimate work in sensitive fields, in some cases without notifying them, including for users it suspected of building competing models. Anthropic apologized and made the fallback visible, though the downgrade itself remains.

What did Anthropic change after the backlash?

Anthropic apologized and updated Fable 5 so that flagged requests now visibly fall back to Claude Opus 4.8, telling users when they are no longer getting the full model. The change adds transparency but does not remove the capability limits that researchers objected to.