CVE-2026-41686

Description

Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes (0o666 for files, 0o777 for directories), leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. This issue has been patched in version 0.91.1.

CVSS Details

CVSS Score

4.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:anthropic:claude_sdk_for_typescript:*:*:*:*:*:*:*:* - VULNERABLE

Anthropic TypeScript SDK >= 0.79.0, < 0.91.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

const fs = require('fs');
const path = require('path');

// Simulating the vulnerable behavior of BetaLocalFilesystemMemoryTool
const vulnerableDir = './vulnerable_memory';
const vulnerableFile = path.join(vulnerableDir, 'agent_state.json');

// Create directory with 0o777 (vulnerable default)
if (!fs.existsSync(vulnerableDir)) {
    fs.mkdirSync(vulnerableDir, 0o777);
    console.log(`[+] Created directory with mode: 0o777`);
}

// Write file with 0o666 (vulnerable default)
fs.writeFileSync(vulnerableFile, JSON.stringify({ memory: 'Secret data' }), { mode: 0o666 });
console.log(`[+] Created file with mode: 0o666`);

// Check actual permissions
const dirStats = fs.statSync(vulnerableDir);
const fileStats = fs.statSync(vulnerableFile);

// Parse mode (remove file type bits)
const dirMode = (dirStats.mode & parseInt('777', 8)).toString(8);
const fileMode = (fileStats.mode & parseInt('777', 8)).toString(8);

console.log(`[!] Directory actual permissions: ${dirMode}`);
console.log(`[!] File actual permissions: ${fileMode}`);

// Verify vulnerability
if (dirMode === '777' || fileMode === '666') {
    console.log('[!] VULNERABILITY CONFIRMED: Permissions are too loose.');
} else {
    console.log('[?] Permissions might be restricted by system umask.');
}

// Cleanup
fs.unlinkSync(vulnerableFile);
fs.rmdirSync(vulnerableDir);

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41686
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41686
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41686/
[4] VulDB https://vuldb.com/cve/CVE-2026-41686
[5] https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-p7fg-763f-g4gf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41686", "sourceIdentifier": "[email protected]", "published": "2026-05-04T19:16:03.883", "lastModified": "2026-05-12T18:37:14.560", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes (0o666 for files, 0o777 for directories), leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. This issue has been patched in version 0.91.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:anthropic:claude_sdk_for_typescript:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.79.0", "versionEndExcluding": "0.91.1", "matchCriteriaId": "50E41017-CFDC-4431-8CFE-684631825041"}]}]}], "references": [{"url": "https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-p7fg-763f-g4gf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}