Description
A security vulnerability has been detected in ErlichLiu claude-agent-sdk-master up to b185aa7ff0d864581257008077b4010fca1747bf. Affected by this vulnerability is an unknown functionality of the file app/api/agent-output/route.ts. The manipulation of the argument outputFile leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal
Action: Apply Patch
AI Analysis

Impact

The vulnerability in ErlichLiu claude-agent-sdk-master allows an attacker to manipulate the outputFile argument in the route located at app/api/agent-output/route.ts, resulting in path traversal. This flaw can lead to unauthorized reading or writing of arbitrary files on the server, exposing sensitive configuration or source code files. The weakness is identified as CWE-22, indicating improper validation of file paths.

Affected Systems

The affected product is ErlichLiu's claude-agent-sdk-master. No precise version information is available beyond a commit identifier (b185aa7ff0d864581257008077b4010fca1747bf); however, any release prior to a discovered fix is potentially vulnerable due to the repository's rolling‑release model. Users should therefore treat all current releases as at risk until an update is issued.

Risk and Exploitability

The CVSS score of 6.9 reflects a moderate severity, and the EPSS score is not available, meaning current exploit probability data are unknown. The attack may be initiated remotely, as stated in the description. Based on the description, it is inferred that no authentication is required to manipulate the outputFile parameter, allowing path traversal. Because the exploit has already been publicly disclosed, the risk of exploitation is tangible if no mitigation is applied.

Generated by OpenCVE AI on April 28, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest version of claude-agent-sdk-master once the repository author releases a patch resolving the path traversal issue.
  • If a patch is not yet available, restrict the outputFile parameter by validating against a whitelist of allowed directories and rejecting any requests containing directory traversal sequences such as "..".
  • Limit access to the agent‑output API endpoint at the network or firewall level so that only trusted IP addresses or internal networks can reach it until a fix is deployed.

Generated by OpenCVE AI on April 28, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Erlichliu
Erlichliu claude-agent-sdk-master
Vendors & Products Erlichliu
Erlichliu claude-agent-sdk-master

Tue, 28 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in ErlichLiu claude-agent-sdk-master up to b185aa7ff0d864581257008077b4010fca1747bf. Affected by this vulnerability is an unknown functionality of the file app/api/agent-output/route.ts. The manipulation of the argument outputFile leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Title ErlichLiu claude-agent-sdk-master route.ts path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Erlichliu Claude-agent-sdk-master
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T14:33:44.662Z

Reserved: 2026-04-27T17:05:37.684Z

Link: CVE-2026-7235

cve-icon Vulnrichment

Updated: 2026-04-28T14:07:01.355Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T08:16:02.467

Modified: 2026-04-28T20:31:00.800

Link: CVE-2026-7235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:30:27Z

Weaknesses