AI Threat Alert
CVE-2026-34452: Anthropic SDK: TOCTOU symlink escape in async memory tool
GHSA-w828-4qhx-vxx3 MEDIUMThe async filesystem memory tool in anthropic Python SDK 0.86.x allows a local attacker to escape the memory sandbox via a symlink swap between path validation and file use — a classic TOCTOU race. Upgrade to 0.87.0 immediately; if you cannot patch, switch to the synchronous memory tool (unaffected) as a stopgap. Blast radius is limited to local attackers with write access to the memory directory, but in shared or containerized agent environments this is a realistic threat.
What is the risk?
Medium risk overall, but elevated in multi-tenant or containerized AI agent deployments where filesystem isolation is the primary control. Local exploitation requires write access to the memory directory — an attacker already partially in the environment. EPSS of 0.00016 reflects minimal observed exploitation activity. The vulnerability's constraint (requires local write access) prevents mass exploitation, but in AI agent architectures where the memory directory is a shared resource or accessible via agent tool invocation, the attack surface widens considerably.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| anthropic | pip | >= 0.86.0, < 0.87.0 | 0.87.0 |
Do you use anthropic? You're affected.
Severity & Risk
What should I do?
6 steps-
Patch immediately: upgrade anthropic Python SDK to 0.87.0 (pip install anthropic==0.87.0).
-
If patching is not immediately possible, switch from the async memory tool to the synchronous implementation — it is not vulnerable.
-
Restrict filesystem permissions on the memory directory: ensure only the agent process user can write to it, preventing symlink planting by other local users.
-
In containerized environments, enforce read-only mounts outside the memory directory and use user namespaces to reduce cross-process write access.
-
Audit logs for unexpected file access patterns outside the memory sandbox directory.
-
Scan your dependency lock files for anthropic >= 0.86.0 and < 0.87.0 across all services.
CISA SSVC Assessment
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
Classification
Compliance Impact
This CVE is relevant to:
Related AI Incidents (17)
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description; Company "Anthropic" in CVE description
Package "anthropic" mentioned in incident
Package "anthropic" mentioned in incident; Company "Anthropic" in CVE description
Source: AI Incident Database (AIID)
Frequently Asked Questions
What is CVE-2026-34452?
The async filesystem memory tool in anthropic Python SDK 0.86.x allows a local attacker to escape the memory sandbox via a symlink swap between path validation and file use — a classic TOCTOU race. Upgrade to 0.87.0 immediately; if you cannot patch, switch to the synchronous memory tool (unaffected) as a stopgap. Blast radius is limited to local attackers with write access to the memory directory, but in shared or containerized agent environments this is a realistic threat.
Is CVE-2026-34452 actively exploited?
No confirmed active exploitation of CVE-2026-34452 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-34452?
1. Patch immediately: upgrade anthropic Python SDK to 0.87.0 (pip install anthropic==0.87.0). 2. If patching is not immediately possible, switch from the async memory tool to the synchronous implementation — it is not vulnerable. 3. Restrict filesystem permissions on the memory directory: ensure only the agent process user can write to it, preventing symlink planting by other local users. 4. In containerized environments, enforce read-only mounts outside the memory directory and use user namespaces to reduce cross-process write access. 5. Audit logs for unexpected file access patterns outside the memory sandbox directory. 6. Scan your dependency lock files for anthropic >= 0.86.0 and < 0.87.0 across all services.
What systems are affected by CVE-2026-34452?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application backends, AI agent memory systems, multi-tenant AI inference environments.
What is the CVSS score for CVE-2026-34452?
No CVSS score has been assigned yet.
Technical Details
NVD Description
The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory directory, but then returned the unresolved path for subsequent file operations. A local attacker able to write to the memory directory could retarget a symlink between validation and use, causing reads or writes to escape the sandbox. The synchronous memory tool implementation was not affected. This issue has been patched in version 0.87.0.
Exploitation Scenario
An attacker with local write access (e.g., a compromised container co-tenant, a malicious tool invoked by the agent, or a low-privilege service account on the same host) plants a symlink inside the memory directory pointing to a target outside the sandbox — for example, /app/.env or ~/.aws/credentials. When the async memory tool validates the path, the symlink resolves to a location inside the sandbox, passing the check. Before the subsequent file I/O operation executes, the attacker atomically replaces the symlink target to point to the sensitive file. The tool performs the read or write against the sensitive target. In an agent context, the attacker could use an agent-invokable tool to trigger this race, exfiltrating secrets or injecting malicious content into config files to escalate privileges.
Weaknesses (CWE)
References
- github.com/advisories/GHSA-w828-4qhx-vxx3
- nvd.nist.gov/vuln/detail/CVE-2026-34452
- github.com/anthropics/anthropic-sdk-python/commit/6599043eee6e86dce16953fcd1fd828052052be6
- github.com/anthropics/anthropic-sdk-python/releases/tag/v0.87.0
- github.com/anthropics/anthropic-sdk-python/security/advisories/GHSA-w828-4qhx-vxx3
Timeline
Related Vulnerabilities
CVE-2026-45370 7.7 utcp-cli: env leak exfiltrates all agent process secrets
Same package: anthropic CVE-2026-21852 7.5 claude_code: Weak Credentials allow account compromise
Same package: anthropic CVE-2026-42074 openclaude: sandbox bypass allows host-level RCE
Same package: anthropic CVE-2026-34450 anthropic-sdk: insecure file perms expose agent memory
Same package: anthropic CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Code Execution