{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34452", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T18:18:14.895Z", "datePublished": "2026-03-31T21:32:37.537Z", "dateUpdated": "2026-04-03T16:08:25.309Z"}, "containers": {"cna": {"title": "Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape", "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "lang": "en", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/anthropics/anthropic-sdk-python/security/advisories/GHSA-w828-4qhx-vxx3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/anthropics/anthropic-sdk-python/security/advisories/GHSA-w828-4qhx-vxx3"}, {"name": "https://github.com/anthropics/anthropic-sdk-python/commit/6599043eee6e86dce16953fcd1fd828052052be6", "tags": ["x_refsource_MISC"], "url": "https://github.com/anthropics/anthropic-sdk-python/commit/6599043eee6e86dce16953fcd1fd828052052be6"}, {"name": "https://github.com/anthropics/anthropic-sdk-python/releases/tag/v0.87.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/anthropics/anthropic-sdk-python/releases/tag/v0.87.0"}], "affected": [{"vendor": "anthropics", "product": "anthropic-sdk-python", "versions": [{"version": ">= 0.86.0, < 0.87.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T21:32:37.537Z"}, "descriptions": [{"lang": "en", "value": "The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory directory, but then returned the unresolved path for subsequent file operations. A local attacker able to write to the memory directory could retarget a symlink between validation and use, causing reads or writes to escape the sandbox. The synchronous memory tool implementation was not affected. This issue has been patched in version 0.87.0."}], "source": {"advisory": "GHSA-w828-4qhx-vxx3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:06:47.039006Z", "id": "CVE-2026-34452", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:08:25.309Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34452", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:06:47.039006Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:08:15.495Z"}}], "cna": {"title": "Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape", "source": {"advisory": "GHSA-w828-4qhx-vxx3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "anthropics", "product": "anthropic-sdk-python", "versions": [{"status": "affected", "version": ">= 0.86.0, < 0.87.0"}]}], "references": [{"url": "https://github.com/anthropics/anthropic-sdk-python/security/advisories/GHSA-w828-4qhx-vxx3", "name": "https://github.com/anthropics/anthropic-sdk-python/security/advisories/GHSA-w828-4qhx-vxx3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/anthropics/anthropic-sdk-python/commit/6599043eee6e86dce16953fcd1fd828052052be6", "name": "https://github.com/anthropics/anthropic-sdk-python/commit/6599043eee6e86dce16953fcd1fd828052052be6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/anthropics/anthropic-sdk-python/releases/tag/v0.87.0", "name": "https://github.com/anthropics/anthropic-sdk-python/releases/tag/v0.87.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory directory, but then returned the unresolved path for subsequent file operations. A local attacker able to write to the memory directory could retarget a symlink between validation and use, causing reads or writes to escape the sandbox. The synchronous memory tool implementation was not affected. This issue has been patched in version 0.87.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T21:32:37.537Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34452", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:08:25.309Z", "dateReserved": "2026-03-27T18:18:14.895Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T21:32:37.537Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anthropic:claude_sdk_for_python:*:*:*:*:*:python:*:*", "matchCriteriaId": "F8729891-B554-4F1D-AD6B-EA089F7E6AB0", "versionEndExcluding": "0.87.0", "versionStartIncluding": "0.86.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory directory, but then returned the unresolved path for subsequent file operations. A local attacker able to write to the memory directory could retarget a symlink between validation and use, causing reads or writes to escape the sandbox. The synchronous memory tool implementation was not affected. This issue has been patched in version 0.87.0."}], "id": "CVE-2026-34452", "lastModified": "2026-04-20T13:34:05.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T22:16:20.320", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/anthropics/anthropic-sdk-python/commit/6599043eee6e86dce16953fcd1fd828052052be6"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/anthropics/anthropic-sdk-python/releases/tag/v0.87.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/anthropics/anthropic-sdk-python/security/advisories/GHSA-w828-4qhx-vxx3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-367"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.86.0,0.87.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "anthropic-sdk-python", "source": "cna", "vendor": "anthropics"}, "product": "anthropic-sdk-python", "vendor": "anthropics"}], "analysis": {"en": {"generated_at": "2026-04-01T06:04:47.599435+00:00", "value": {"mitigation_remediation": ["Upgrade anthropic-sdk-python to version 0.87.0 or later. ", "Verify that your environment uses the updated SDK and that no older version remains in the dependency tree. ", "If you cannot upgrade immediately, restrict write permissions to the SDK's memory directory or disable the asynchronous memory tool. ", "Perform application testing to confirm that sandbox isolation is preserved and no unintended file access occurs."], "summary": {"action": "Patch Now", "impact": "Sandbox Escape"}, "threat_synthesis": {"affected_systems": "The affected vendor is Anthropics, product Anthropic Python SDK. Versions from 0.86.0 through just before 0.87.0 contain the flaw. Users of older libraries or custom forks that have not applied the patch are susceptible. The issue is specific to the asynchronous implementation; the synchronous memory tool is unaffected.", "description_and_impact": "The vulnerability is a race condition in the asynchronous memory tool of the Anthropic Python SDK that allows a locally privileged attacker to bypass sandbox isolation by manipulating path validation. A requested path is validated to stay inside the sandboxed memory directory, but the tool returns the unresolved path for subsequent file operations. This permits an attacker who can create a symbolic link after validation to redirect reads or writes outside the intended directory, potentially accessing sensitive files or modifying system data. The weakness falls under CWE-367 and CWE-59.", "risk_and_exploitability": "CVSS score is 5.8 indicating moderate severity. As exploitation requires local write access to the SDK's memory directory, the attack surface is limited to environments where the application runs with sufficient permissions. No EPSS score or KEV listing is available, but the moderate CVSS combined with the local privilege requirement suggests restricted exploitation risk. Updating to version 0.87.0 removes the race condition, limiting the potential for sandbox escape."}}}}, "created": "2026-04-02T07:52:08.380424+00:00", "updated": "2026-04-02T20:10:23.244033+00:00", "vendors": ["anthropics", "anthropics$PRODUCT$anthropic-sdk-python"]}