The vulnerability CVE-2026-34452 affects the anthropic-sdk-python package, specifically versions from 0.86.0 up to but not including 0.87.0. The issue lies in the async local filesystem memory tool, which is designed to sandbox file operations within a designated memory directory. The tool performs validation to ensure that model-supplied file paths resolve inside the sandbox directory. However, after this validation step, it returns the unresolved path for subsequent file operations. This creates a time-of-check to time-of-use (TOCTOU) race condition where a local attacker with write permissions to the memory directory can replace or retarget a symbolic link (symlink) between the validation and the actual file operation. By doing so, the attacker can cause the program to read from or write to files outside the sandbox, effectively escaping the intended filesystem restrictions. This vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access) and CWE-367 (Time-of-check Time-of-use Race Condition). The synchronous memory tool implementation in the SDK is not affected. The vulnerability requires local access with low privileges, has high attack complexity, and does not require user interaction. The CVSS 4.0 base score is 5.8, reflecting medium severity. The issue was patched in version 0.87.0 of the anthropic-sdk-python package. There are no known exploits reported in the wild at this time.

This vulnerability allows a local attacker with write access to the memory directory used by the vulnerable async memory tool to escape the sandbox and perform unauthorized file reads or writes outside the intended directory. This could lead to unauthorized data disclosure, data tampering, or corruption of files on the host system. For organizations using the affected versions of anthropic-sdk-python in environments where untrusted users or processes have local write access to the memory directory, this could compromise the integrity and confidentiality of sensitive data. The impact is limited by the requirement for local access and the high complexity of the attack, but in multi-tenant or shared environments, or where the SDK is used in automated workflows with less strict access controls, the risk increases. Exploitation could undermine trust in sandboxing mechanisms and potentially facilitate privilege escalation or lateral movement if combined with other vulnerabilities.

Organizations should upgrade anthropic-sdk-python to version 0.87.0 or later, where the vulnerability has been patched. Until upgrading is possible, restrict write permissions to the memory directory used by the async local filesystem memory tool to trusted users only, preventing untrusted local users from creating or modifying symlinks. Implement monitoring and alerting for unexpected symlink creation or modification in the memory directory. Consider using file system features or mandatory access controls (e.g., SELinux, AppArmor) to enforce strict sandbox boundaries. Review and audit local access controls on systems running the SDK to ensure that only authorized users have write access to relevant directories. Additionally, avoid running the vulnerable async memory tool in environments where local untrusted users exist. Finally, conduct thorough testing after patching to confirm that sandbox escapes are no longer possible.