Upgrade the anthropic Python SDK to 0.87.0 immediately if you use the filesystem memory tool. Docker deployments face the highest risk — permissive default umasks make memory files world-writable, allowing any co-resident process to tamper with agent state and silently poison future model context. As an interim control, set explicit umask restrictions in your Dockerfiles and audit existing memory file permissions.
What is the risk?
Medium severity with elevated risk in containerized environments. EPSS is near-zero (0.00012) and exploitation requires local access, limiting remote attack surface. However, Docker base images commonly ship with permissive umasks, making the write primitive trivially available to any co-resident service or compromised process. The ability to modify agent memory — effectively injecting false context into future model interactions — elevates impact well beyond simple data disclosure.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Anthropic Python | pip | >= 0.86.0, < 0.87.0 | 0.87.0 |
Do you use Anthropic Python? You're affected.
How severe is it?
What should I do?
5 steps-
PATCH
Upgrade anthropic SDK to 0.87.0 immediately.
-
AUDIT
Locate exposed memory files with
find . -name '*.json' -perm /o+rw; restrict withchmod 600. -
HARDEN
Set explicit umask (0o077 or stricter) in Dockerfiles and container entrypoint scripts.
-
DETECT
Monitor memory file modification timestamps for unexpected writes outside normal agent process context; alert on anomalies.
-
ROTATE
Treat existing memory files as potentially compromised — purge and recreate agent state if memory files were accessible to other processes.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-34450?
Upgrade the anthropic Python SDK to 0.87.0 immediately if you use the filesystem memory tool. Docker deployments face the highest risk — permissive default umasks make memory files world-writable, allowing any co-resident process to tamper with agent state and silently poison future model context. As an interim control, set explicit umask restrictions in your Dockerfiles and audit existing memory file permissions.
Is CVE-2026-34450 actively exploited?
No confirmed active exploitation of CVE-2026-34450 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-34450?
1. PATCH: Upgrade anthropic SDK to 0.87.0 immediately. 2. AUDIT: Locate exposed memory files with `find . -name '*.json' -perm /o+rw`; restrict with `chmod 600`. 3. HARDEN: Set explicit umask (0o077 or stricter) in Dockerfiles and container entrypoint scripts. 4. DETECT: Monitor memory file modification timestamps for unexpected writes outside normal agent process context; alert on anomalies. 5. ROTATE: Treat existing memory files as potentially compromised — purge and recreate agent state if memory files were accessible to other processes.
What systems are affected by CVE-2026-34450?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, containerized AI workloads, multi-tenant AI deployments, AI agent pipelines with persistent memory.
What is the CVSS score for CVE-2026-34450?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0037 Data from Local System AML.T0080.000 Memory AML.T0081 Modify AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. Both the synchronous and asynchronous memory tool implementations were affected. This issue has been patched in version 0.87.0.
Exploitation Scenario
In a Dockerized multi-agent deployment, a compromised microservice running in the same container reads agent memory files (0o666 permissions) to harvest conversation history and prior API context. The attacker then writes poisoned entries to the memory file, injecting fabricated prior interactions that instruct the agent to exfiltrate data via tool calls or bypass content controls on subsequent requests. Because memory is loaded as trusted context at session startup, the agent processes injected instructions without user or operator visibility. The attack requires no network access, no authentication bypass, and produces no API-layer audit log entries.
Weaknesses (CWE)
CWE-276 Incorrect Default Permissions
Primary
CWE-276 Incorrect Default Permissions
Primary
CWE-732 Incorrect Permission Assignment for Critical Resource
Primary
CWE-732 Incorrect Permission Assignment for Critical Resource
Primary
CWE-276 — Incorrect Default Permissions: During installation, installed file permissions are set to allow anyone to modify those files.
- [Architecture and Design, Operation] The architecture needs to access and modification attributes for files to only those users who actually require those actions.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
References
- github.com/advisories/GHSA-q5f5-3gjm-7mfm
- nvd.nist.gov/vuln/detail/CVE-2026-34450
- github.com/anthropics/anthropic-sdk-python/commit/715030ceb4d6dd8d3546e999c680e29532bf1255
- github.com/anthropics/anthropic-sdk-python/releases/tag/v0.87.0
- github.com/anthropics/anthropic-sdk-python/security/advisories/GHSA-q5f5-3gjm-7mfm
Timeline
Related Vulnerabilities
CVE-2026-7574 8.7 Claude Desktop: VM integrity bypass enables RCE
Same package: anthropic CVE-2026-45370 7.7 utcp-cli: env leak exfiltrates all agent process secrets
Same package: anthropic CVE-2026-21852 7.5 claude_code: Weak Credentials allow account compromise
Same package: anthropic CVE-2026-41863 6.5 Analysis pending
Same package: anthropic GHSA-534h-c3cw-v3h9 5.5 Nuxt: local unauth IPC leaks .env secrets on shared hosts
Same package: anthropic