CVE-2026-34452 Overview
A Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability exists in the Anthropic Python SDK's async local filesystem memory tool. From version 0.86.0 to before version 0.87.0, the SDK validated that model-supplied paths resolved inside the sandboxed memory directory but then returned the unresolved path for subsequent file operations. A local attacker with write access to the memory directory could retarget a symlink between the validation and use phases, causing reads or writes to escape the sandbox.
Critical Impact
Local attackers can leverage this symlink race condition to escape the filesystem sandbox, potentially enabling unauthorized read or write access to files outside the intended memory directory.
Affected Products
- Anthropic Python SDK version 0.86.0
- Anthropic Python SDK versions prior to 0.87.0
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-34452 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34452
Vulnerability Analysis
This vulnerability is a classic TOCTOU race condition (CWE-59: Improper Link Resolution Before File Access) in the async filesystem memory tool implementation. The flaw exists in the path validation logic of the _validate_path function within src/anthropic/lib/tools/_beta_builtin_memory_tool.py.
The vulnerable code properly validated that a model-supplied path resolved to a location within the sandboxed memory directory. However, after performing this validation, the function returned the original unresolved full_path rather than the canonicalized resolved_path. This created a window of opportunity between validation and file operation execution.
During this race window, an attacker with local write access to the memory directory could manipulate a symlink to point to a target outside the sandbox. When the subsequent file operation executed using the unresolved path, it would follow the now-modified symlink, effectively bypassing the sandbox restrictions.
The synchronous memory tool implementation was not affected by this vulnerability, as it handled path resolution correctly.
Root Cause
The root cause is improper handling of resolved versus unresolved paths in the async _validate_path function. After calling _async_validate_no_symlink_escape() to verify the path resolved within bounds, the function incorrectly returned full_path (the unresolved path) instead of the validated resolved_path. This allowed the symlink target to be changed after validation but before the actual file operation.
Attack Vector
The attack requires local access and the ability to write to the memory directory. An attacker would:
- Create a symlink within the memory directory pointing to a safe location
- Trigger an async file operation on the symlink
- During the race window after validation but before file access, retarget the symlink to point outside the sandbox (e.g., to /etc/passwd or sensitive application files)
- The file operation then follows the modified symlink, escaping the sandbox
The attack complexity is high due to the timing requirements, but successful exploitation allows unauthorized file reads or writes outside the intended sandbox boundary.
await _async_validate_no_symlink_escape(full_path, self.memory_root)
- return full_path
+ return AsyncPath(resolved_path)
@override
async def view(self, command: BetaMemoryTool20250818ViewCommand) -> str:
Source: GitHub Commit Update
Detection Methods for CVE-2026-34452
Indicators of Compromise
- Unusual symlink creation or modification activity within the Anthropic SDK memory directory
- File access patterns showing reads or writes to sensitive files like /etc/passwd, /etc/shadow, or application configuration files from SDK processes
- Rapid sequential file system events (symlink modification followed immediately by file access) within memory tool directories
Detection Strategies
- Monitor the memory directory used by the Anthropic Python SDK for symlink creation and modification events using filesystem auditing tools
- Implement file integrity monitoring (FIM) on sensitive system files to detect unauthorized access attempts
- Review application logs for unexpected file path references outside the designated memory sandbox
- Use process monitoring to track file operations performed by applications using the Anthropic SDK
Monitoring Recommendations
- Enable detailed filesystem auditing on systems running applications that use the Anthropic Python SDK version 0.86.0
- Configure SIEM rules to correlate rapid symlink modifications with subsequent file access events
- Monitor for processes attempting to access files outside their expected working directories
- Implement anomaly detection for file access patterns that deviate from normal application behavior
How to Mitigate CVE-2026-34452
Immediate Actions Required
- Upgrade the Anthropic Python SDK to version 0.87.0 or later immediately
- Audit applications using version 0.86.0 of the SDK for potential exploitation
- Review file access logs for evidence of sandbox escape attempts
- Restrict write access to the memory directory used by the SDK to only trusted processes
Patch Information
Anthropic has released version 0.87.0 of the Python SDK which addresses this vulnerability. The fix ensures that the async _validate_path function returns the resolved path (AsyncPath(resolved_path)) rather than the unresolved path, eliminating the TOCTOU race condition.
Upgrade using pip:
pip install anthropic>=0.87.0
For detailed patch information, see the GitHub Security Advisory GHSA-w828-4qhx-vxx3 and the release notes for v0.87.0.
Workarounds
- Use the synchronous memory tool implementation instead of the async version, as it was not affected by this vulnerability
- Implement strict access controls on the memory directory to prevent untrusted local users from writing to it
- Deploy the application in an isolated environment where local attackers cannot gain write access to the memory directory
- Consider using container isolation or sandboxing technologies to limit the impact of potential sandbox escapes
# Configuration example
# Upgrade Anthropic SDK to patched version
pip install --upgrade anthropic>=0.87.0
# Verify installed version
pip show anthropic | grep Version
# Restrict memory directory permissions (example)
chmod 700 /path/to/memory/directory
chown appuser:appgroup /path/to/memory/directory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
