MEDIUM🇵🇱 Wersja polska

CVE-2026-34451

CVSS 6.3v4.0pub. 2026-03-31upd. 2026-04-20

Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix check that did not append a trailing path separator. A model steered by prompt injection could supply a crafted path that resolved to a sibling directory sharing the memory root's name as a prefix, allowing reads and writes outside the sandboxed memory directory. This issue has been patched in version 0.81.0.

CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Anthropic Claude Sdk For Typescript

    APP
    Anthropic
    0.79.0 – 0.81.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2026-41686MEDIUM4.8ten sam produkt

Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applicat...

CVE-2026-55607HIGH7.7ten sam vendor

Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed cre...

CVE-2026-44470HIGH8.5ten sam vendor

The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions si...

CVE-2026-44467HIGH7.4ten sam vendor

The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions si...

CVE-2026-40068HIGH7.7ten sam vendor

In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree c...