Description
The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. Both the synchronous and asynchronous memory tool implementations were affected. This issue has been patched in version 0.87.0.
Published: 2026-03-31
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local attacker can read or modify stored Claude agent state due to insecure file permissions
Action: Apply Patch
AI Analysis

Impact

The Claude SDK for Python’s local filesystem memory tool created files with mode 0o666, which are world‑readable on systems with a default umask and become world‑writable on containers that use permissive umasks. As a result, a local attacker on a shared host could read persisted agent data or write to it, allowing tampering with subsequent Claude responses. This weakness aligns with CWE‑276 (Default Permissions) and CWE‑732 (Incorrect Permission Assignment).

Affected Systems

The vulnerability impacts the Anthropic Claude SDK for Python, affecting releases from version 0.86.0 up to, but not including, 0.87.0. Both the synchronous and asynchronous memory tool implementations exhibit the insecure behaviour. Python applications that rely on these SDK versions and persist Claude agent state on disk are therefore affected.

Risk and Exploitability

The CVSS score is 4.8 and the EPSS is below 1 %, indicating a moderate risk level with limited likelihood of widespread exploitation. The attack requires local access on a shared host or within a container; in multi‑tenant environments, a malicious user could access or alter memory files, exposing data or influencing model outputs. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation at the time of disclosure.

Generated by OpenCVE AI on April 13, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Anthropic Claude SDK for Python to version 0.87.0 or later.
  • Remove any memory files that were created by older SDK versions and still have insecure 0666 permissions.
  • Verify that any new memory files created by the updated SDK are created with restricted permissions.

Generated by OpenCVE AI on April 13, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q5f5-3gjm-7mfm Claude SDK for Python has Insecure Default File Permissions in Local Filesystem Memory Tool
History

Mon, 13 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Sdk For Python
CPEs cpe:2.3:a:anthropic:claude_sdk_for_python:*:*:*:*:*:python:*:*
Vendors & Products Anthropic
Anthropic claude Sdk For Python
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics anthropic-sdk-python
Vendors & Products Anthropics
Anthropics anthropic-sdk-python

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. Both the synchronous and asynchronous memory tool implementations were affected. This issue has been patched in version 0.87.0.
Title Claude SDK for Python: Insecure Default File Permissions in Local Filesystem Memory Tool
Weaknesses CWE-276
CWE-732
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Sdk For Python
Anthropics Anthropic-sdk-python
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T13:35:18.879Z

Reserved: 2026-03-27T18:18:14.895Z

Link: CVE-2026-34450

cve-icon Vulnrichment

Updated: 2026-04-01T13:35:15.464Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T22:16:19.987

Modified: 2026-04-13T15:10:50.597

Link: CVE-2026-34450

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:11Z

Weaknesses