CVE-2026-34452

Name of the Vulnerable Software and Affected Versions Claude SDK for Python versions 0.86.0 through 0.86.999

Description The Claude SDK for Python, used to access the Claude API, had a flaw in the async local filesystem memory tool between versions 0.86.0 and before 0.87.0. The tool validated file paths within a sandbox, but then used the unvalidated path for file operations. This allowed a local attacker who could write to the memory directory to potentially escape the sandbox by manipulating symlinks between the validation and use stages. The synchronous memory tool was not affected.

Recommendations Update to version 0.87.0 or later.