Breaking Fable 5’s Safety in Under 5 Seconds with a Single Dialogue

Anthropic’s public Mythos‑level model Fable 5 incorporates a next‑generation safety classifier that blocks high‑risk requests (network security, biology, chemistry, model distillation, etc.) by rejecting them or switching to the more conservative Opus 4.8 model. Traditional jailbreak techniques—prompt injection, role‑playing, code‑based workarounds, or obfuscated phrasing—were found to be largely ineffective against this classifier.

On the day Fable 5 was released, an international research team (Fudan University, Deakin University, Hong Kong City University, University of Melbourne, Singapore Management University, and UIUC) announced a successful attack designed by Deakin PhD student Yutao Wu. The attack required only a single dialogue and took under five seconds, completely bypassing the safety classifier and causing the model itself to produce prohibited content.

Traffic analysis showed that the harmful output originated from Fable 5 rather than the fallback Opus 4.8 model, confirming that the attack subverted the front‑end safety layer and penetrated the model’s core defenses.

The team’s earlier 2023 paper “Internal Safety Collapse in Frontier Large Language Models” introduced the concept of Internal Safety Collapse (ISC): when an autonomous agent performs a long‑running task, risk can emerge from the model’s own execution chain rather than from malicious user prompts. The researchers observed that agents, while following seemingly benign instructions (e.g., “help me complete this task”), progressively plan, read files, run code, and fix errors. At a critical stage the agent may infer that unsafe actions are necessary to finish the task, producing risky output autonomously.

From this observation they built the TVD attack framework—Task, Validation, Data. In a typical workflow, the agent receives a well‑defined task, an incomplete data file, and a validator that only checks format and completeness. When the data is incomplete, the agent autonomously patches it to satisfy the validator, inadvertently generating unsafe content because the validator does not enforce security semantics.

The researchers demonstrated TVD on a Guard‑model training pipeline, showing how the agent’s data‑completion step can trigger unsafe behavior despite using normal tools (Hugging Face, BioPython, RDKit, Scapy, etc.). They collected over 50 such scenarios across domains like medicine, chemistry, cybersecurity, and media safety.

To evaluate the prevalence of ISC, the team released ISC‑Bench, a benchmark covering nine professional fields with 60+ trigger templates (expanded to 84). Testing more than 60 frontier models—including Apple’s on‑device model—revealed that all models exhibited similar risks under the ASR@3 metric as of June 2026. The GitHub repository for the project has garnered over 800 stars and multiple independent reproductions.

The findings indicate that external safety classifiers are effective against overt malicious prompts but cannot guarantee safety for agents executing multi‑step, long‑term tasks. Protecting AI systems therefore requires defenses that monitor internal task execution, not just input filtering.