CVE-2026-41686 Overview
CVE-2026-41686 is an insecure file permissions vulnerability in the Anthropic Claude SDK for TypeScript. The flaw resides in the BetaLocalFilesystemMemoryTool, which persists agent memory state to disk. Affected versions from 0.79.0 up to (but not including) 0.91.1 create memory files using the Node.js default mode 0o666 and directories using 0o777. On systems with a standard umask, these artifacts are world-readable. In containerized environments such as many Docker base images that use a permissive umask, the files become world-writable. The issue is patched in version 0.91.1.
Critical Impact
A local attacker on a shared host can read persisted agent state, and in containerized deployments can modify memory files to influence subsequent Claude model behavior.
Affected Products
- Anthropic Claude SDK for TypeScript versions 0.79.0 through 0.91.0
- Server-side TypeScript or JavaScript applications using BetaLocalFilesystemMemoryTool
- Containerized deployments (Docker base images) running the affected SDK versions
Discovery Timeline
- 2026-05-04 - CVE-2026-41686 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-41686
Vulnerability Analysis
The vulnerability is classified as Incorrect Permission Assignment for Critical Resource [CWE-732]. The BetaLocalFilesystemMemoryTool writes agent memory artifacts to the local filesystem without specifying restrictive file modes. Node.js falls back to its defaults, applying 0o666 to files and 0o777 to directories before the process umask is applied.
On standard Linux hosts where the umask is 0o022, the resulting permissions become 0o644 and 0o755, allowing any local user to read agent memory contents. Many Docker base images run with a permissive umask of 0o000, leaving files at 0o666 and directories at 0o777. Any process or user inside the container can then read and modify the persisted state.
The memory tool is intended to give Claude agents persistent context across sessions. Because that context is replayed into model prompts, write access to the memory files allows an attacker to inject instructions or poisoned data that the model will treat as trusted history.
Root Cause
The SDK omits an explicit mode argument when calling Node.js filesystem APIs such as fs.writeFile and fs.mkdir. The defaults are appropriate for non-sensitive content but inadequate for files that store agent state and influence model output.
Attack Vector
Exploitation requires local access to the host or container running the Claude SDK. An unprivileged local user enumerates memory directories created by the agent process and reads their contents to extract conversation history, tool outputs, or sensitive context. In containers with a permissive umask, the same user overwrites memory files with crafted content. The agent loads the tampered data on the next invocation, allowing the attacker to steer model decisions, suppress prior context, or inject malicious instructions through stored memory.
No verified exploit code is publicly available. The vulnerability mechanism is documented in the GitHub Security Advisory GHSA-p7fg-763f-g4gf.
Detection Methods for CVE-2026-41686
Indicators of Compromise
- Memory files created by the Claude SDK with permissions of 0o644, 0o666, or broader
- Memory directories with permissions of 0o755 or 0o777 owned by the agent process user
- Unexpected modifications to memory files outside the agent runtime, especially writes from non-agent UIDs
Detection Strategies
- Audit the installed version of @anthropic-ai/sdk across Node.js services and flag any version in the range 0.79.0 to 0.91.0
- Run periodic permission scans (find <memory_path> -perm /o+w) over directories used by BetaLocalFilesystemMemoryTool
- Compare hashes of memory files against expected agent-generated baselines to identify tampering
Monitoring Recommendations
- Enable filesystem auditing (auditd, eBPF, or container runtime logs) on memory storage paths used by the SDK
- Alert on writes to agent memory files originating from processes other than the SDK runtime
- Track package manifests in CI/CD to detect downgrades to vulnerable SDK versions
How to Mitigate CVE-2026-41686
Immediate Actions Required
- Upgrade @anthropic-ai/sdk to version 0.91.1 or later in all TypeScript and JavaScript applications
- Inventory containers and shared hosts where the SDK is deployed and verify the umask configuration
- Restrict access to existing memory directories to the agent service account only
Patch Information
The maintainers fixed the issue in version 0.91.1 by setting restrictive file and directory modes when the BetaLocalFilesystemMemoryTool writes to disk. Refer to the GitHub Security Advisory GHSA-p7fg-763f-g4gf for full remediation details.
Workarounds
- Set a restrictive umask such as 0o077 for the process running the SDK before the agent starts
- Place memory directories on filesystems or mount points with access controls limited to the agent user
- Avoid running the SDK on multi-tenant hosts or shared containers until the upgrade is applied
# Configuration example: enforce a restrictive umask and ownership for the agent process
umask 0077
mkdir -p /var/lib/claude-agent/memory
chown agent:agent /var/lib/claude-agent/memory
chmod 700 /var/lib/claude-agent/memory
npm install @anthropic-ai/sdk@^0.91.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
