CVE-2026-34452: CWE-59: Improper Link Resolution Before File Access ('Link Following') in anthropics anthropic-sdk-python
The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory directory, but then returned the unresolved path for subsequent file operations. A local attacker able to write to the memory directory could retarget a symlink between validation and use, causing reads or writes to escape the sandbox. The synchronous memory tool implementation was not affected. This issue has been patched in version 0.87.0.
AI Analysis
Technical Summary
The Claude SDK for Python's async local filesystem memory tool validated that model-supplied paths resolved inside a sandboxed memory directory but returned the unresolved path for file operations. This allowed a local attacker with write permissions to the memory directory to replace the symlink between validation and use, causing file reads or writes to occur outside the sandbox. The vulnerability affects versions >= 0.86.0 and < 0.87.0 and has been fixed in version 0.87.0. The synchronous memory tool implementation was not vulnerable.
Potential Impact
A local attacker with write access to the memory directory could exploit this vulnerability to escape the sandbox restrictions, potentially reading or writing files outside the intended sandbox environment. This could lead to unauthorized file access or modification within the local system context where the SDK is used.
Mitigation Recommendations
Upgrade the anthropic-sdk-python package to version 0.87.0 or later, where this vulnerability has been patched. No other mitigation is necessary as the fix is officially available in the updated version.
CVE-2026-34452: CWE-59: Improper Link Resolution Before File Access ('Link Following') in anthropics anthropic-sdk-python
Description
The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory directory, but then returned the unresolved path for subsequent file operations. A local attacker able to write to the memory directory could retarget a symlink between validation and use, causing reads or writes to escape the sandbox. The synchronous memory tool implementation was not affected. This issue has been patched in version 0.87.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Claude SDK for Python's async local filesystem memory tool validated that model-supplied paths resolved inside a sandboxed memory directory but returned the unresolved path for file operations. This allowed a local attacker with write permissions to the memory directory to replace the symlink between validation and use, causing file reads or writes to occur outside the sandbox. The vulnerability affects versions >= 0.86.0 and < 0.87.0 and has been fixed in version 0.87.0. The synchronous memory tool implementation was not vulnerable.
Potential Impact
A local attacker with write access to the memory directory could exploit this vulnerability to escape the sandbox restrictions, potentially reading or writing files outside the intended sandbox environment. This could lead to unauthorized file access or modification within the local system context where the SDK is used.
Mitigation Recommendations
Upgrade the anthropic-sdk-python package to version 0.87.0 or later, where this vulnerability has been patched. No other mitigation is necessary as the fix is officially available in the updated version.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-27T18:18:14.895Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69cc424fe6bfc5ba1d44f4b9
Added to database: 3/31/2026, 9:53:19 PM
Last enriched: 4/7/2026, 11:19:42 PM
Last updated: 5/16/2026, 2:40:25 AM
Views: 91
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.