Description
The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory directory, but then returned the unresolved path for subsequent file operations. A local attacker able to write to the memory directory could retarget a symlink between validation and use, causing reads or writes to escape the sandbox. The synchronous memory tool implementation was not affected. This issue has been patched in version 0.87.0.
Published: 2026-03-31
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox Escape
Action: Patch Now
AI Analysis

Impact

The vulnerability is a race condition in the asynchronous memory tool of the Anthropic Python SDK that allows a locally privileged attacker to bypass sandbox isolation by manipulating path validation. A requested path is validated to stay inside the sandboxed memory directory, but the tool returns the unresolved path for subsequent file operations. This permits an attacker who can create a symbolic link after validation to redirect reads or writes outside the intended directory, potentially accessing sensitive files or modifying system data. The weakness falls under CWE-367 and CWE-59.

Affected Systems

The affected vendor is Anthropics, product Anthropic Python SDK. Versions from 0.86.0 through just before 0.87.0 contain the flaw. Users of older libraries or custom forks that have not applied the patch are susceptible. The issue is specific to the asynchronous implementation; the synchronous memory tool is unaffected.

Risk and Exploitability

CVSS score is 5.8 indicating moderate severity. As exploitation requires local write access to the SDK's memory directory, the attack surface is limited to environments where the application runs with sufficient permissions. No EPSS score or KEV listing is available, but the moderate CVSS combined with the local privilege requirement suggests restricted exploitation risk. Updating to version 0.87.0 removes the race condition, limiting the potential for sandbox escape.

Generated by OpenCVE AI on April 1, 2026 at 06:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade anthropic-sdk-python to version 0.87.0 or later.
  • Verify that your environment uses the updated SDK and that no older version remains in the dependency tree.
  • If you cannot upgrade immediately, restrict write permissions to the SDK's memory directory or disable the asynchronous memory tool.
  • Perform application testing to confirm that sandbox isolation is preserved and no unintended file access occurs.

Generated by OpenCVE AI on April 1, 2026 at 06:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w828-4qhx-vxx3 Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape
History

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics anthropic-sdk-python
Vendors & Products Anthropics
Anthropics anthropic-sdk-python

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory directory, but then returned the unresolved path for subsequent file operations. A local attacker able to write to the memory directory could retarget a symlink between validation and use, causing reads or writes to escape the sandbox. The synchronous memory tool implementation was not affected. This issue has been patched in version 0.87.0.
Title Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape
Weaknesses CWE-367
CWE-59
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Anthropics Anthropic-sdk-python
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:08:25.309Z

Reserved: 2026-03-27T18:18:14.895Z

Link: CVE-2026-34452

cve-icon Vulnrichment

Updated: 2026-04-03T16:08:15.495Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-03-31T22:16:20.320

Modified: 2026-04-01T14:23:37.727

Link: CVE-2026-34452

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:23Z

Weaknesses