Anthropic lifts Fable 5 export controls on July 1 and proposes a CVSS-style severity framework for AI jailbreaks
Eighteen days after U.S. export controls froze global access to Claude Fable 5 and Mythos 5, Anthropic announced June 30 that the restrictions are lifted, effective July 1. The post-incident report that accompanied the announcement disclosed a retrained safety classifier, a new pre-release government testing protocol, and the first cross-vendor proposal for scoring AI jailbreak severity like software CVEs.
What happened
Anthropic released Fable 5 and Mythos 5 on June 9. Three days later, on June 12, U.S. export controls took effect after the government received a report from Amazon researchers describing a bypass technique: prompts that led Fable 5 to identify software vulnerabilities and, in one case, produce code demonstrating how a vulnerability could be exploited. Because Anthropic had no real-time way to verify user nationality, the company suspended access for all users globally, not just foreign nationals per Anthropic's post-incident report.
Commerce Secretary Howard Lutnick confirmed the controls were lifted on June 30, posting to X that his office had worked with Anthropic for two weeks to analyze and approve Fable 5. Fable 5 becomes available starting July 1 on the Claude Platform, Claude.ai, Claude Code, and Claude Cowork. Re-enabling access on AWS, Google Cloud, and Microsoft Foundry is in progress.
Anthropic's own post-incident testing found that Claude Opus 4.8, GPT-5.5, Kimi K2.7, and every other model it tested could identify the same vulnerabilities as Fable 5. The demonstration of how to exploit one specific vulnerability was reproducible on Claude Haiku 4.5, Claude Sonnet 4.6, multiple Opus versions, GPT-5.4, GPT-5.5, and Kimi K2.7, leading Anthropic to characterize the jailbreak as a borderline case rather than a unique Fable-level capability breach.
The new classifier trained in response blocks the specific Amazon-reported technique in over 99% of cases per the Anthropic report. NIST's Center for AI Standards and Innovation (CAISI), part of the Department of Commerce, tested both the old and new safeguards and confirmed the updated classifier meets an "extraordinarily strong" standard.
Why it matters
For operators running Claude Code or building on the Anthropic API, the immediate change is simple: Fable 5 is back, and the 18-day gap closes tomorrow. Pro, Max, Team, and select Enterprise plans get Fable 5 for up to 50% of weekly usage limits through July 7, after which it shifts to usage credits. Standard Enterprise seats have no bundled Fable 5 allowance and will need usage credits enabled to access the model at all.
The classifier does have a cost. Anthropic notes it flags some legitimate coding and debugging requests as false positives more often than before. The tradeoff is explicit: tighter safety margin in exchange for restoring global access. Operators building on Fable 5 should expect some friction on edge-case requests until the company refines it.
The bigger structural change is the governance piece. Until now, no agreed-upon vocabulary existed for assessing how serious a given AI jailbreak actually is. When the Amazon report surfaced in June, neither the government nor Anthropic had a shared framework for quickly deciding whether this was an emergency that warranted an immediate export block or a manageable issue that could be patched in a normal release cycle. The absence of that shared language is what turned a borderline classifier issue into an 18-day global access suspension.
The proposed jailbreak severity framework
Working with Amazon, Microsoft, Google, and other Glasswing program partners, Anthropic drafted a four-criteria scoring system for AI jailbreak severity. The criteria map onto how bad a jailbreak actually is in practice, not just how dramatic it sounds.
The first criterion is capability gain: how far beyond other available tools does the jailbreak take the attacker? If a jailbroken Fable 5 can only reach what Claude Opus 4.8 does without jailbreaking, the score is low. The second criterion is breadth: does the same technique unlock one narrow behavior or a wide class of harmful outputs? A single-target bypass scores low; a general-purpose unlock scores high.
The third criterion is ease of weaponization: how much skilled effort does it take to turn the jailbreak into an actual attack? A technique requiring many retries and expert prompting scores low. The fourth is discoverability: is the technique already posted publicly, or does it require specialist access to even obtain?
Anthropic explicitly frames this as analogous to CVSS, the Common Vulnerability Scoring System used across software security per the post-incident report. OpenAI and xAI have not yet announced whether they will adopt or contribute to the framework. Anthropic is also launching a HackerOne bug bounty program for security researchers to submit potential Fable 5 cyber jailbreaks once the model is live.
Deeper government collaboration
Beyond the classifier and severity framework, Anthropic outlined four standing commitments to government partners. For frontier models with national security implications, the company will provide designated government partners early access before broad release, with Anthropic technical staff working alongside government evaluators.
On rapid disclosure: when significant jailbreaks or misuse patterns emerge, Anthropic committed to notify appropriate government counterparts quickly and share new safeguards so they can be independently tested. The company will also participate in the interagency cybersecurity vulnerability clearinghouse created by the June 2 White House executive order on AI innovation and security.
A third commitment covers dedicated joint research, including a significant compute allocation to support government testing. The fourth covers working toward a shared, voluntary security and evaluation standard across frontier model providers.
These commitments formalize what were previously ad hoc interactions. The 18-day block made visible how much ambiguity existed in the process, and the response is an attempt to pre-agree on both the technical bar and the communication path before the next major model release.
What to watch next
Three concrete signals are worth tracking. First, whether OpenAI and xAI join the jailbreak severity framework: the four-criteria system only functions as an industry standard if competitors adopt a compatible version. Anthropic specifically called out inviting "other industry partners and model providers" to join.
Second, Mythos 5 is not fully restored. Anthropic confirmed access for a subset of U.S. organizations under the Glasswing program as of June 26, but broader domestic and international Glasswing expansion is still in progress. Mythos 5's restoration timeline is the cleaner signal for how quickly the government-Anthropic coordination process can move.
Third, watch whether the pre-release government testing protocol becomes codified in NIST standards or remains voluntary. The June 2 executive order on AI innovation and security created the statutory hook. Whether CAISI turns the Anthropic pilot into a repeatable process across multiple model providers is the governance question the next 12 months will answer.
Sources
- Redeploying Claude Fable 5: Anthropic post-incident report, June 30, 2026
- Howard Lutnick on X: Commerce Secretary confirmation, June 30, 2026