CVE-2026-34452: Anthropic Python TOCTOU symlink

Q: Is CVE-2026-34452 actively exploited?

No confirmed active exploitation of CVE-2026-34452 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-34452?

1. Patch immediately: upgrade anthropic Python SDK to 0.87.0 (pip install anthropic==0.87.0). 2. If patching is not immediately possible, switch from the async memory tool to the synchronous implementation — it is not vulnerable. 3. Restrict filesystem permissions on the memory directory: ensure only the agent process user can write to it, preventing symlink planting by other local users. 4. In containerized environments, enforce read-only mounts outside the memory directory and use user namespaces to reduce cross-process write access. 5. Audit logs for unexpected file access patterns outside the memory sandbox directory. 6. Scan your dependency lock files for anthropic >= 0.86.0 and < 0.87.0 across all services.

Q: What systems are affected by CVE-2026-34452?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application backends, AI agent memory systems, multi-tenant AI inference environments.

Q: What is the CVSS score for CVE-2026-34452?

No CVSS score has been assigned yet.

CISO Take

The async filesystem memory tool in anthropic Python SDK 0.86.x allows a local attacker to escape the memory sandbox via a symlink swap between path validation and file use — a classic TOCTOU race. Upgrade to 0.87.0 immediately; if you cannot patch, switch to the synchronous memory tool (unaffected) as a stopgap. Blast radius is limited to local attackers with write access to the memory directory, but in shared or containerized agent environments this is a realistic threat.

What is the risk?

Medium risk overall, but elevated in multi-tenant or containerized AI agent deployments where filesystem isolation is the primary control. Local exploitation requires write access to the memory directory — an attacker already partially in the environment. EPSS of 0.00016 reflects minimal observed exploitation activity. The vulnerability's constraint (requires local write access) prevents mass exploitation, but in AI agent architectures where the memory directory is a shared resource or accessible via agent tool invocation, the attack surface widens considerably.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Anthropic Python	pip	>= 0.86.0, < 0.87.0	`0.87.0`
3.7K 5.4K dependents Pushed 5d ago 90% patched ~3d to patch Full package profile →

Do you use Anthropic Python? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Patch immediately: upgrade anthropic Python SDK to 0.87.0 (pip install anthropic==0.87.0).
If patching is not immediately possible, switch from the async memory tool to the synchronous implementation — it is not vulnerable.
Restrict filesystem permissions on the memory directory: ensure only the agent process user can write to it, preventing symlink planting by other local users.
In containerized environments, enforce read-only mounts outside the memory directory and use user namespaces to reduce cross-process write access.
Audit logs for unexpected file access patterns outside the memory sandbox directory.
Scan your dependency lock files for anthropic >= 0.86.0 and < 0.87.0 across all services.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Auth Bypass Framework Agent API AML.T0010.001 - AI Software AML.T0037 - Data from Local System AML.T0053 - AI Agent Tool Invocation AML.T0080.000 - Memory AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.3 - AI system security by design

NIST AI RMF

MANAGE 2.2 - Treatments, responses, and recovery plans for AI risks

OWASP LLM Top 10

LLM03 - Supply Chain LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-34452?

The async filesystem memory tool in anthropic Python SDK 0.86.x allows a local attacker to escape the memory sandbox via a symlink swap between path validation and file use — a classic TOCTOU race. Upgrade to 0.87.0 immediately; if you cannot patch, switch to the synchronous memory tool (unaffected) as a stopgap. Blast radius is limited to local attackers with write access to the memory directory, but in shared or containerized agent environments this is a realistic threat.

Is CVE-2026-34452 actively exploited?

No confirmed active exploitation of CVE-2026-34452 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34452?

1. Patch immediately: upgrade anthropic Python SDK to 0.87.0 (pip install anthropic==0.87.0). 2. If patching is not immediately possible, switch from the async memory tool to the synchronous implementation — it is not vulnerable. 3. Restrict filesystem permissions on the memory directory: ensure only the agent process user can write to it, preventing symlink planting by other local users. 4. In containerized environments, enforce read-only mounts outside the memory directory and use user namespaces to reduce cross-process write access. 5. Audit logs for unexpected file access patterns outside the memory sandbox directory. 6. Scan your dependency lock files for anthropic >= 0.86.0 and < 0.87.0 across all services.

What systems are affected by CVE-2026-34452?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application backends, AI agent memory systems, multi-tenant AI inference environments.

What is the CVSS score for CVE-2026-34452?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM application backendsAI agent memory systemsmulti-tenant AI inference environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0037 Data from Local System

AML.T0053 AI Agent Tool Invocation

AML.T0080.000 Memory

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03, LLM06

What are the technical details?

Original Advisory

The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory directory, but then returned the unresolved path for subsequent file operations. A local attacker able to write to the memory directory could retarget a symlink between validation and use, causing reads or writes to escape the sandbox. The synchronous memory tool implementation was not affected. This issue has been patched in version 0.87.0.

Exploitation Scenario

An attacker with local write access (e.g., a compromised container co-tenant, a malicious tool invoked by the agent, or a low-privilege service account on the same host) plants a symlink inside the memory directory pointing to a target outside the sandbox — for example, /app/.env or ~/.aws/credentials. When the async memory tool validates the path, the symlink resolves to a location inside the sandbox, passing the check. Before the subsequent file I/O operation executes, the attacker atomically replaces the symlink target to point to the sensitive file. The tool performs the read or write against the sensitive target. In an agent context, the attacker could use an agent-invokable tool to trigger this race, exfiltrating secrets or injecting malicious content into config files to escalate privileges.

Weaknesses (CWE)

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Primary CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Primary CWE-59 Improper Link Resolution Before File Access ('Link Following') Primary CWE-59 Improper Link Resolution Before File Access ('Link Following') Primary

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition: The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

[Implementation] The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
[Implementation] When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.

Source: MITRE CWE corpus.