CVE-2026-34450: anthropic-sdk: insecure file perms expose agent memory

GHSA-q5f5-3gjm-7mfm MEDIUM
Published March 31, 2026
CISO Take

Upgrade the anthropic Python SDK to 0.87.0 immediately if you use the filesystem memory tool. Docker deployments face the highest risk — permissive default umasks make memory files world-writable, allowing any co-resident process to tamper with agent state and silently poison future model context. As an interim control, set explicit umask restrictions in your Dockerfiles and audit existing memory file permissions.

What is the risk?

Medium severity with elevated risk in containerized environments. EPSS is near-zero (0.00012) and exploitation requires local access, limiting remote attack surface. However, Docker base images commonly ship with permissive umasks, making the write primitive trivially available to any co-resident service or compromised process. The ability to modify agent memory — effectively injecting false context into future model interactions — elevates impact well beyond simple data disclosure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Anthropic Python pip >= 0.86.0, < 0.87.0 0.87.0
3.7K 5.4K dependents Pushed 8d ago 90% patched ~6d to patch Full package profile →

Do you use Anthropic Python? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.1%
chance of exploitation in 30 days
Higher than 2% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps
  1. PATCH

    Upgrade anthropic SDK to 0.87.0 immediately.

  2. AUDIT

    Locate exposed memory files with find . -name '*.json' -perm /o+rw; restrict with chmod 600.

  3. HARDEN

    Set explicit umask (0o077 or stricter) in Dockerfiles and container entrypoint scripts.

  4. DETECT

    Monitor memory file modification timestamps for unexpected writes outside normal agent process context; alert on anomalies.

  5. ROTATE

    Treat existing memory files as potentially compromised — purge and recreate agent state if memory files were accessible to other processes.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
A.8.4 - Data Access Controls for AI Systems
NIST AI RMF
MANAGE-2.2 - Risk Treatment for Identified AI Risks
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure LLM04 - Data and Model Poisoning

Frequently Asked Questions

What is CVE-2026-34450?

Upgrade the anthropic Python SDK to 0.87.0 immediately if you use the filesystem memory tool. Docker deployments face the highest risk — permissive default umasks make memory files world-writable, allowing any co-resident process to tamper with agent state and silently poison future model context. As an interim control, set explicit umask restrictions in your Dockerfiles and audit existing memory file permissions.

Is CVE-2026-34450 actively exploited?

No confirmed active exploitation of CVE-2026-34450 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34450?

1. PATCH: Upgrade anthropic SDK to 0.87.0 immediately. 2. AUDIT: Locate exposed memory files with `find . -name '*.json' -perm /o+rw`; restrict with `chmod 600`. 3. HARDEN: Set explicit umask (0o077 or stricter) in Dockerfiles and container entrypoint scripts. 4. DETECT: Monitor memory file modification timestamps for unexpected writes outside normal agent process context; alert on anomalies. 5. ROTATE: Treat existing memory files as potentially compromised — purge and recreate agent state if memory files were accessible to other processes.

What systems are affected by CVE-2026-34450?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, containerized AI workloads, multi-tenant AI deployments, AI agent pipelines with persistent memory.

What is the CVSS score for CVE-2026-34450?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworkscontainerized AI workloadsmulti-tenant AI deploymentsAI agent pipelines with persistent memory

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0037 Data from Local System
AML.T0080.000 Memory
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.8.4
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM02, LLM04

What are the technical details?

Original Advisory

The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. Both the synchronous and asynchronous memory tool implementations were affected. This issue has been patched in version 0.87.0.

Exploitation Scenario

In a Dockerized multi-agent deployment, a compromised microservice running in the same container reads agent memory files (0o666 permissions) to harvest conversation history and prior API context. The attacker then writes poisoned entries to the memory file, injecting fabricated prior interactions that instruct the agent to exfiltrate data via tool calls or bypass content controls on subsequent requests. Because memory is loaded as trusted context at session startup, the agent processes injected instructions without user or operator visibility. The attack requires no network access, no authentication bypass, and produces no API-layer audit log entries.

Weaknesses (CWE)

CWE-276 — Incorrect Default Permissions: During installation, installed file permissions are set to allow anyone to modify those files.

  • [Architecture and Design, Operation] The architecture needs to access and modification attributes for files to only those users who actually require those actions.
  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

Timeline

Published
March 31, 2026
Last Modified
April 1, 2026
First Seen
March 31, 2026

Related Vulnerabilities