CVE-2026-41686 (GHSA-p7fg-763f-g4gf) is a medium-severity vulnerability in the @anthropic-ai/sdk npm package, affecting versions 0.79.0 through 0.91.0.
The BetaLocalFilesystemMemoryTool creates memory files and directories using Node.js default permissions: 0o666 for files and 0o777 for directories.
On systems with a standard umask, these files become world-readable. In permissive umask environments — common in Docker base images — they become world-writable.
A local attacker on a shared host can read persisted agent state (conversation history, tool outputs). In containerized deployments, an attacker can modify memory files to influence subsequent model behavior.
The vulnerability was published on GitHub Advisories on April 29, 2026. The fix is available in SDK version 0.91.1.
Why it matters
The Anthropic SDK is the foundation for many custom AI agent applications — any project using BetaLocalFilesystemMemoryTool for persistent agent memory is potentially affected.
Agent memory files contain conversation history, tool call results, and potentially sensitive context that an attacker could harvest or manipulate.
Memory file modification could lead to agent behavior manipulation — a form of local supply-chain compromise where the model's persistent state is poisoned.
This follows a broader pattern of AI infrastructure security gaps: default configurations that work in development become liabilities in production.
What to do
Update @anthropic-ai/sdk to version 0.91.1 or later.
Set a restrictive umask (077) in your deployment environment as a defense-in-depth measure.
Review permissions on .claude/memory/ directories: ls -la ~/.claude/memory/
Run containers as non-root users and restrict filesystem access between containers on shared hosts.