CVE-2026-41686

Name of the Vulnerable Software and Affected Versions Claude SDK for TypeScript versions 0.79.0 through 0.91.0

Description The BetaLocalFilesystemMemoryTool creates memory files and directories using Node.js default modes (0o666 for files and 0o777 for directories). This results in files being world-readable on systems with a standard umask and world-writable in environments with permissive umasks, such as certain Docker base images. A local attacker on a shared host could read persisted agent state, or in containerized deployments, modify memory files to influence subsequent model behavior.

Recommendations Update to version 0.91.1.