GLM-5.2 Records 39% F1 on Semgrep IDOR Benchmark, Exceeding Claude Code

Semgrep evaluated GLM-5.2 against its internal IDOR dataset using the identical prompt applied to frontier models. The open-weight 750B MoE model, with 40B active parameters and 1M context, operated without endpoint enumeration or guided navigation. It outperformed Claude Code and Claude Opus 4.8 under these constraints while trailing Semgrep's purpose-built multimodal pipeline at 53-61% F1.

The benchmark isolates model contribution by stripping harness scaffolding. GLM-5.2's result demonstrates that parameter-efficient inference and extended reliable context transfer directly to multi-file authorization reasoning required for IDOR detection. Zhipu released weights under MIT license on June 16 2026 after internal rollout on June 13, enabling on-premise deployment unavailable to closed frontier agents.

This outcome compresses the performance gap between open-weight and closed models on concrete security tasks. Security teams restricted to air-gapped environments now have a documented alternative that exceeds one frontier coding agent at lower marginal cost. Operational adoption will hinge on fine-tuning stability and integration latency rather than raw benchmark position.

Subsequent evaluations must test GLM-5.2 on additional CVE-derived datasets and measure degradation across agent trajectory lengths beyond 200K tokens to confirm sustained advantage.