CVE-2026-34452
Received Received - Intake
Path Traversal in Claude SDK Async Filesystem Allows Sandbox Escape

Publication date: 2026-03-31

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory directory, but then returned the unresolved path for subsequent file operations. A local attacker able to write to the memory directory could retarget a symlink between validation and use, causing reads or writes to escape the sandbox. The synchronous memory tool implementation was not affected. This issue has been patched in version 0.87.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-20
Generated
2026-05-07
AI Q&A
2026-04-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-34452
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
anthropic claude_sdk_for_python From 0.86.0 (inc) to 0.87.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Claude SDK for Python versions from 0.86.0 to before 0.87.0, specifically in the async local filesystem memory tool. The tool validated that model-supplied file paths were inside a sandboxed memory directory, but then used the original unresolved path for file operations. This allowed a local attacker who could write to the memory directory to change a symlink between the validation and the file operation, escaping the sandbox and accessing or modifying files outside the intended area.

The synchronous memory tool was not affected by this issue, and the vulnerability was fixed in version 0.87.0.


How can this vulnerability impact me? :

This vulnerability can allow a local attacker to bypass sandbox restrictions by manipulating symbolic links after path validation. As a result, the attacker could read or write files outside the intended sandboxed memory directory, potentially leading to unauthorized access or modification of sensitive files on the system.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade the Claude SDK for Python to version 0.87.0 or later, where the issue has been patched.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart