
Security researchers disclosed three separate vulnerabilities today impacting popular tools in the AI and automation ecosystem. Flaws in the Anthropic TypeScript SDK, the OpenClaw webchat platform, and the n8n automation tool highlight a recurring theme. Insecure defaults and missing boundary checks can create significant risks, particularly in agentic systems that interact with local filesystems and external services.
At a Glance
3
Advisories
High
Implied Severity
npm
Ecosystem
AI & Automation
Surface
Claude SDK Tool Creates World-Readable Agent Memory
A vulnerability in the Anthropic TypeScript SDK could expose an AI agent's memory to local attackers. The flaw, tracked as CVE-2026-41686, affects the `@anthropic-ai/sdk` npm package. Specifically, the experimental `BetaLocalFilesystemMemoryTool` created files and directories with insecure default permissions, a significant oversight for a feature designed to persist agent state. [2]
An attacker with local access to a shared host running an affected agent could exploit this flaw. They could read the contents of the agent's memory files. This persisted state might include sensitive information like prior conversation history, secrets retrieved by tools, or intermediate data from the model's reasoning process. The ability to read this data constitutes a serious information leak.
The technical cause was the tool's reliance on Node.js default file modes. It created files as `0o666` and directories as `0o777`. On many systems, the default user file-creation mode mask (umask) would mitigate the worst of this, but still leave files world-readable. The risk is highest in environments with a permissive umask of `0000`, common in some Docker base images. In that scenario, memory files become world-writable, allowing an attacker to modify an agent's memory and potentially control its future actions. [1]
Anthropic has addressed the vulnerability in an updated version of the SDK. Developers using the `BetaLocalFilesystemMemoryTool` are advised to upgrade to the latest version immediately to apply the fix. Anthropic credited security researcher `lucasfutures` for discovering and reporting the issue.
OpenClaw Flaw Allows Agent-Influenced File Exfiltration
The OpenClaw webchat platform contained a vulnerability that allowed for unauthorized local file reads. The flaw, which does not yet have a CVE ID, affected versions up to `2026.4.14`. It enabled a crafted agent response to embed local audio files from the host server into a webchat session, bypassing intended security boundaries. [3]
The attack vector involves manipulating an agent's output. An attacker who could influence a `ReplyPayload.mediaUrl`, either through prompt injection or by compromising a tool used by the agent, could specify a local file path. The webchat audio helper would then resolve this path, read the file, and base64-encode its contents into the chat. This crosses the critical boundary between model output and the host filesystem.
This security failure occurred because a specific code path for embedding audio lacked a crucial check. Other media-serving paths in OpenClaw correctly used an `assertLocalMediaAllowed` function to ensure file access remained within a contained media root. The audio embedding path omitted this check. The public fix applies this containment check to the vulnerable path, closing the file-read gadget. [5]
While the impact is narrowed by file type and size constraints, the issue represents a serious data exfiltration risk. The contents of any file readable by the gateway process could be exposed. The OpenClaw team thanked researcher `@zsxsoft` for the report and recommends all users upgrade to version `2026.4.15` or later. [4]
n8n Automation Platform Vulnerable to Stored XSS
The n8n workflow automation platform was found to have a stored cross-site scripting (XSS) vulnerability. Tracked as CVE-2026-42235, the flaw could allow an unauthenticated attacker to execute arbitrary JavaScript in an authenticated user's browser session. This could lead to session hijacking and control over the victim's automation workflows. [6]
The attack requires a specific sequence of events. First, an attacker registers a malicious MCP OAuth client, embedding a script into the `client_name` field. Second, a user on the n8n instance must authorize this malicious client. Finally, if a different user revokes the client's access, a toast notification appears. This notification would render the malicious client name without proper sanitization, triggering the XSS payload.
For an automation platform like n8n, a successful XSS attack has severe consequences. An attacker with control of a user's session can steal credentials for connected services like databases and APIs. They can also manipulate, disable, or exfiltrate data from critical workflows. In environments where n8n orchestrates agentic tasks, this could allow an attacker to indirectly control AI agents or poison their data sources.
The n8n team has patched this vulnerability in version 2.14.2. All users are strongly encouraged to upgrade. If an immediate upgrade is not possible, administrators can implement temporary workarounds. These include restricting access to the MCP OAuth registration endpoint or disabling the MCP server if it is not in use. [7]
Common Threads
All three vulnerabilities originate in the npm ecosystem. They highlight the shared risk inherent in software supply chains. More importantly, they demonstrate a pattern of boundary-crossing failures. The Anthropic SDK flaw blurred the process boundary on a shared host. The OpenClaw vulnerability crossed the line between agent output and the host filesystem. The n8n exploit allowed an attacker to jump from an unauthenticated context into a privileged user session.
These incidents underscore the need for secure defaults and explicit validation, especially in AI-adjacent systems. Default file permissions, unchecked URL inputs, and unsanitized client names were the respective root causes. As developers build increasingly complex agentic applications, they must remember that every interface between components is a potential security boundary that requires careful design and rigorous testing.
Defender Takeaway
The primary lesson from today's advisories is that securing AI and automation systems requires a relentless focus on the fundamentals. Developers and operators must treat the outputs of models and tools with the same skepticism as direct user input. Every interface, whether a file on disk, a URL in a payload, or a name in a database, is an attack surface. Each one requires validation, sanitization, and strict permissioning.
OPERATOR ACTION
Audit all interfaces between agentic components and host systems for proper input validation and permission enforcement.
References
- GitHub Security Advisory (GHSA-p7fg-763f-g4gf). https://github.com/advisories/GHSA-p7fg-763f-g4gf (accessed 2026-04-30).
- Vendor security advisory (github.com). https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-p7fg-763f-g4gf (accessed 2026-04-30).
- GitHub Security Advisory (GHSA-gfg9-5357-hv4c). https://github.com/advisories/GHSA-gfg9-5357-hv4c (accessed 2026-04-30).
- Vendor security advisory (github.com). https://github.com/openclaw/openclaw/security/advisories/GHSA-gfg9-5357-hv4c (accessed 2026-04-30).
- Patch commit / PR (github.com). https://github.com/openclaw/openclaw/commit/6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde (accessed 2026-04-30).
- GitHub Security Advisory (GHSA-537j-gqpc-p7fq). https://github.com/advisories/GHSA-537j-gqpc-p7fq (accessed 2026-04-30).
- Vendor security advisory (github.com). https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq (accessed 2026-04-30).
About Helixar Research Labs
Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.
Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.
If you run agents in production, this is for you. Learn more at helixar.ai.