Description
The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. Both the synchronous and asynchronous memory tool implementations were affected. This issue has been patched in version 0.87.0.
Published: 2026-03-31
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to memory files leading to potential data exposure or modification
Action: Patch Now
AI Analysis

Impact

The Claude SDK for Python contains a flaw in its local filesystem memory tool that creates files with permissive permissions, allowing any local user on a shared host to read or modify the persisted agent state. The issue arises because files are created with mode 0o666, making them world‑readable or world‑writable when the system's umask is permissive, such as in many Docker images. An attacker who can execute code within the same host or container can exploit this to gain unauthorized access to sensitive data or influence future model interactions. The weakness corresponds to incorrect permissions and missing authorization in privileged operations, reflected in CWE‑276 and CWE‑732.

Affected Systems

The vulnerability affects the Anthropic Python SDK for version 0.86.0 through any release prior to 0.87.0. These versions were released by Anthropics. The fix is available in version 0.87.0 and later.

Risk and Exploitability

The CVSS score is 4.8, which is a moderate severity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local: an attacker who has a user account on a shared host or anyone able to execute code inside a container when the SDK is installed can read or modify memory files. As the problem stems from file permission misconfiguration, it can be mitigated by applying the patch or restricting the umask.

Generated by OpenCVE AI on April 1, 2026 at 06:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Anthropic Python SDK to version 0.87.0 or later to apply the fixed file permissions.
  • Verify that new memory files are created with restrictive permissions (e.g., 0o600).
  • Ensure container base images set a restrictive umask to prevent creation of world‑writable files.
  • Monitor SDK usage and logs for unexpected file creation or permission changes.

Generated by OpenCVE AI on April 1, 2026 at 06:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q5f5-3gjm-7mfm Claude SDK for Python has Insecure Default File Permissions in Local Filesystem Memory Tool
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics anthropic-sdk-python
Vendors & Products Anthropics
Anthropics anthropic-sdk-python

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. Both the synchronous and asynchronous memory tool implementations were affected. This issue has been patched in version 0.87.0.
Title Claude SDK for Python: Insecure Default File Permissions in Local Filesystem Memory Tool
Weaknesses CWE-276
CWE-732
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Anthropics Anthropic-sdk-python
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T13:35:18.879Z

Reserved: 2026-03-27T18:18:14.895Z

Link: CVE-2026-34450

cve-icon Vulnrichment

Updated: 2026-04-01T13:35:15.464Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-03-31T22:16:19.987

Modified: 2026-04-01T14:23:37.727

Link: CVE-2026-34450

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:22Z

Weaknesses