CVE-2026-34451 Overview
A path traversal vulnerability exists in the Anthropic TypeScript SDK's local filesystem memory tool that allows attackers to read and write files outside the intended sandboxed memory directory. The vulnerability stems from improper path validation that uses a string prefix check without appending a trailing path separator, enabling a model steered by prompt injection to escape directory boundaries.
Critical Impact
Attackers can leverage prompt injection to manipulate the AI model into supplying crafted paths that bypass sandbox restrictions, enabling unauthorized file system access to sibling directories sharing the memory root's name as a prefix.
Affected Products
- Anthropic TypeScript SDK versions 0.79.0 to 0.80.x
- Server-side TypeScript applications using the vulnerable SDK
- Server-side JavaScript applications using the vulnerable SDK
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-34451 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34451
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in the local filesystem memory tool component of the Anthropic TypeScript SDK. The core issue lies in how the SDK validates file paths supplied by the AI model. When the memory tool receives a path request, it performs validation using a simple string prefix check against the configured memory root directory. However, this validation fails to append a trailing path separator (/) to the root path before comparison.
This oversight creates a significant security gap: if the memory root is configured as /app/memory, the prefix check would incorrectly validate paths like /app/memory-backup/sensitive.txt or /app/memory_logs/secrets.json because they begin with the same string prefix. A malicious actor can exploit this through prompt injection attacks, manipulating the model to request files from these sibling directories that share the memory root's name as a prefix.
Root Cause
The root cause is improper input validation in the path normalization routine. The string prefix validation approach is fundamentally flawed for directory boundary enforcement because it does not account for directory naming conventions in file systems. Proper path canonicalization and the addition of a trailing separator before comparison would prevent paths to sibling directories from passing validation.
Attack Vector
The attack vector is network-based and requires the attacker to successfully inject malicious prompts that influence the model's behavior. The attack flow involves:
- Attacker crafts a prompt injection payload targeting an application using the vulnerable SDK
- The injected prompt manipulates the AI model to request file operations on crafted paths
- The model supplies a path like /app/memory-sibling/target.txt when memory root is /app/memory
- The faulty prefix validation accepts this path as valid
- The SDK performs unauthorized read or write operations outside the sandbox
The vulnerability mechanism exploits the inadequate path boundary validation. When the memory root is set to a directory like /app/memory, an attacker-influenced model can supply paths such as /app/memory-backup/credentials.json which pass the prefix check but resolve to entirely different directory trees. For detailed technical analysis, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-34451
Indicators of Compromise
- File access attempts to directories with names similar to the configured memory root (e.g., memory-backup, memory_old, memoryfiles)
- Unexpected file read or write operations in directories adjacent to the memory sandbox
- Prompt injection patterns in application logs targeting file path generation
- Model-generated file paths containing directory traversal sequences or sibling directory names
Detection Strategies
- Monitor application logs for file system operations targeting paths outside the expected memory root directory
- Implement runtime detection for prompt injection patterns in user inputs
- Deploy file integrity monitoring on directories adjacent to memory sandbox locations
- Audit SDK version dependencies to identify applications running affected versions 0.79.0 through 0.80.x
Monitoring Recommendations
- Enable verbose logging for the Anthropic SDK memory tool file operations
- Configure alerting for any file access attempts that resolve to unexpected directory paths
- Implement behavioral analysis to detect anomalous model-generated file path patterns
- Review application access logs for patterns consistent with prompt injection attacks
How to Mitigate CVE-2026-34451
Immediate Actions Required
- Upgrade the Anthropic TypeScript SDK to version 0.81.0 or later immediately
- Audit applications using SDK versions 0.79.0 through 0.80.x for potential exploitation
- Review file system access logs for evidence of unauthorized directory access
- Consider temporarily disabling the local filesystem memory tool if immediate upgrade is not possible
Patch Information
The vulnerability has been patched in Anthropic TypeScript SDK version 0.81.0. The fix properly validates model-supplied paths by ensuring the trailing path separator is included in the prefix comparison, preventing escape to sibling directories. Organizations should update their dependencies immediately using their package manager.
For detailed patch information, refer to:
Workarounds
- Configure the memory root directory with a unique name that is unlikely to have sibling directories with similar prefixes
- Implement additional application-level path validation before passing paths to the SDK memory tool
- Use file system permissions to restrict SDK process access to only the intended memory directory
- Deploy the application in a containerized environment with strict filesystem isolation
# Update Anthropic TypeScript SDK to patched version
npm update @anthropic-ai/sdk@0.81.0
# Or using yarn
yarn upgrade @anthropic-ai/sdk@0.81.0
# Verify installed version
npm list @anthropic-ai/sdk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
