The vulnerability CVE-2026-34451 affects the anthropic-sdk-typescript, specifically versions from 0.79.0 up to but not including 0.81.0. This SDK provides server-side TypeScript or JavaScript applications access to the Claude API. The local filesystem memory tool within the SDK attempts to sandbox file operations by validating paths supplied by the model. However, the validation logic used a string prefix check that did not append a trailing path separator, which is a critical oversight. This allowed an attacker, via prompt injection, to supply a crafted pathname that resolved to a directory outside the intended sandboxed memory directory but sharing a prefix with it. Essentially, the path traversal vulnerability (CWE-22) enables unauthorized read and write operations on the filesystem outside the restricted directory. This could lead to exposure or modification of sensitive files, potentially impacting confidentiality and integrity. The vulnerability was patched in version 0.81.0 by correcting the path validation logic to properly restrict access to the sandbox directory. The CVSS 4.0 vector indicates the attack is network-based, requires no privileges or user interaction, but has high attack complexity and limited impact on confidentiality and integrity, with no impact on availability. No known exploits have been reported in the wild, but the vulnerability represents a significant risk for applications using the affected SDK versions.

The primary impact of this vulnerability is unauthorized access to the local filesystem beyond the intended sandbox directory. This can lead to exposure of sensitive data, unauthorized modification or deletion of files, and potential compromise of application integrity. For organizations, this could mean leakage of confidential information, tampering with application data, or even enabling further attacks if critical system files are accessed or altered. Since the vulnerability can be triggered via prompt injection, it increases the attack surface for adversaries who can influence model inputs. The medium CVSS score reflects moderate risk, but the actual impact depends on the deployment context and the sensitivity of accessible files. Organizations running server-side applications with the affected SDK versions are at risk, especially if they process untrusted inputs or deploy in environments with sensitive data. The lack of authentication requirement and user interaction makes exploitation feasible remotely, although the high attack complexity may limit widespread exploitation. Nonetheless, the potential for data breach and integrity compromise warrants immediate remediation.

Organizations should upgrade the anthropic-sdk-typescript to version 0.81.0 or later, where the vulnerability is patched. Until upgrading, implement strict input validation and sanitization on any data that influences model prompts to reduce the risk of prompt injection attacks. Employ runtime monitoring and filesystem access controls to detect and prevent unauthorized file operations outside designated directories. Consider running the SDK and associated services with least privilege, restricting filesystem permissions to minimize potential damage from exploitation. Additionally, conduct code reviews and security testing focused on path validation logic in custom extensions or integrations. Deploy application-layer firewalls or runtime application self-protection (RASP) tools to detect anomalous filesystem access patterns. Maintain awareness of updates from the vendor and apply patches promptly. Finally, educate developers on secure coding practices related to path handling and sandboxing to prevent similar issues.