The vulnerability CVE-2026-34450 affects the Claude SDK for Python (anthropic-sdk-python) specifically versions from 0.86.0 up to but not including 0.87.0. The issue arises from the local filesystem memory tool component, which creates memory files with default permissions set to 0o666. This permission setting means that files are readable and writable by all users on the system, which is problematic on systems with standard umask settings that do not restrict permissions further. In containerized environments, such as Docker base images that often have permissive umasks, these files can become world-writable. This misconfiguration allows a local attacker on a shared host to read sensitive persisted agent state data stored in these files. Furthermore, in containerized deployments, an attacker with access to the container could modify these memory files, potentially influencing the behavior of AI models that rely on this persisted state. Both synchronous and asynchronous memory tool implementations in the SDK are affected, indicating a broad impact within the SDK's memory management features. The vulnerability is classified under CWE-276 (Incorrect Default Permissions) and CWE-732 (Incorrect Permission Assignment for Critical Resource). Exploitation requires local or container access with low privileges but no user interaction or authentication is needed. The vulnerability has a CVSS 4.8 (medium) score reflecting limited but meaningful impact on confidentiality and integrity. The issue was patched in version 0.87.0 of the SDK, which corrects the file permission settings to prevent unauthorized access or modification of memory files.

The primary impact of this vulnerability is unauthorized disclosure and potential tampering with sensitive persisted agent state data used by the Claude SDK. For organizations deploying the anthropic-sdk-python in shared hosting environments, this vulnerability could allow local attackers to read confidential information stored in memory files, leading to information leakage. In containerized environments, the risk is elevated as attackers could modify these files, potentially manipulating AI model behavior, which could lead to incorrect or malicious outputs from AI-driven applications. This could undermine trust in AI services, cause data integrity issues, and potentially lead to further exploitation if the AI model behavior is critical to business processes. The scope is limited to local or container access, so remote exploitation is not feasible without prior access. However, given the increasing use of containerized AI deployments and shared cloud environments, the vulnerability poses a tangible risk to confidentiality and integrity of AI workloads. Organizations relying on this SDK for AI applications should consider the sensitivity of the persisted state and the deployment environment to assess risk.

To mitigate this vulnerability, organizations should upgrade the anthropic-sdk-python to version 0.87.0 or later, where the file permission issue has been fixed. Until the upgrade is applied, administrators should manually enforce stricter file permissions on the memory files created by the SDK, ensuring they are not world-readable or writable (e.g., setting permissions to 0o600 or more restrictive). In containerized environments, explicitly set restrictive umask values or use container security policies to prevent overly permissive file permissions. Additionally, restrict local and container access to trusted users only, minimizing the risk of local attackers exploiting this vulnerability. Monitoring and auditing file permission changes and access to memory files can help detect potential exploitation attempts. Finally, review deployment architectures to avoid shared hosting scenarios where untrusted users have local access, and consider isolating AI workloads in dedicated containers or VMs with strict access controls.