
At a Glance
CVE-2026-41686
Identifier
Medium
Severity
Local
Attack Vector
@anthropic-ai/sdk
Affected Product
A vulnerability in the Anthropic TypeScript SDK exposed the memory of AI agents to local attackers. The flaw resided in a beta tool for storing agent memory on the local filesystem. It created files and directories with insecure default permissions, making them accessible to other users on the same machine [1].
The Core Vulnerability
The issue stemmed from the `BetaLocalFilesystemMemoryTool` component. This tool used the default file modes provided by Node.js when creating new files and directories for agent memory. Specifically, it used a mode of `0o666` for files and `0o777` for directories [2].
These permissions are overly permissive. On a typical Linux system with a standard umask, this results in world-readable files. On systems with a more permissive umask, such as many Docker base images, the files could become world-writable. This meant any local user or process could potentially read or even modify the agent's persisted state.
The Agentic Attack Chain
In a shared hosting environment, such as a multi-tenant development server, the attack is straightforward. A low-privilege attacker on the same host could locate and read the memory files of an agent built with the vulnerable SDK. This could expose sensitive information the agent processed, including user data, API keys, or proprietary prompts.
The risk becomes more severe in containerized deployments. If an attacker compromises a neighboring container or the underlying host, the world-writable permissions become a critical entry point. An attacker could modify the agent's memory files directly. This threat moves beyond simple data theft into active agent manipulation.
By writing to an agent's memory, an attacker can poison its understanding of the world. They could inject false data, alter its short-term scratchpad, or corrupt its long-term knowledge base. This could cause the agent to make flawed decisions, execute malicious commands, or leak information in subsequent interactions. The agent's autonomous nature amplifies the damage from this memory tampering.
OPERATOR ACTION
Update @anthropic-ai/sdk to the latest patched version to secure agent memory files.
Why Filesystem Memory is a High-Stakes Target
Persistent memory is the foundation of a sophisticated AI agent. It is how an agent maintains context across conversations, learns from past interactions, and executes complex, multi-step tasks. This memory is not just a data store; it is the agent's cognitive workspace. Protecting its integrity is essential for reliable and safe operation.
Corrupting an agent's memory is fundamentally different from corrupting a traditional application's database. While database corruption is a serious integrity issue, the effects are often predictable. An agent acting on corrupted memory can produce unpredictable and emergent behaviors, executing actions its developers never intended.
This incident shows that security teams must expand their focus. Protecting structured databases and secrets is no longer enough. The unstructured, file-based memory systems used by many agentic frameworks represent a new, critical attack surface that requires dedicated security controls.
Insecure Defaults and the AI Supply Chain
This vulnerability was not the result of a complex algorithmic flaw but a simple insecure default. The SDK relied on the platform's default settings, which were not designed for security-sensitive applications. This is a common pitfall in software development, but its consequences are magnified when dealing with agentic systems.
Developers building AI agents rely on a complex supply chain of open-source libraries, models, and tools. When a core library like an SDK has an insecure default, that risk is inherited by every application built on top of it. A single vulnerability can ripple through the entire ecosystem, creating widespread exposure.
Authors of AI and ML tools must prioritize secure-by-default design. Functions that handle agent state, memory, or credentials must use strict, locked-down permissions from the start. Developers using these tools must also perform due diligence and not assume that defaults are safe for their production use case.
Detection and Mitigation
The immediate action for developers using the Anthropic TypeScript SDK is to update the `@anthropic-ai/sdk` package to a patched version. The vendor has released a fix that applies more restrictive file permissions to the local memory tool.
For detection, security teams should audit file permissions in directories where AI agents store state. System administrators can use standard command-line tools like `find` to locate world-readable or world-writable files created by agent processes. File Integrity Monitoring (FIM) systems can also be configured to alert on insecure permissions in these critical directories.
Long-term mitigation requires a defense-in-depth strategy. Do not rely exclusively on the library's security. Run agent processes as non-root users with minimal privileges. Enforce a secure system-wide `umask` to limit the permissions of newly created files. Finally, use container security measures like hardened base images and strict isolation policies to limit the blast radius of a potential compromise.
The Broader Implications for Agentic Security
This incident is a textbook example of how a conventional vulnerability class gains new significance in the context of AI. A file permission flaw, typically a medium-severity local issue, becomes a tool for subverting the behavior of an autonomous system. It demonstrates a direct path from a simple bug to a compromise of agent integrity.
As organizations increasingly deploy agents for critical tasks, attackers will inevitably target the components that govern their behavior. The agent's memory, tools, and underlying models are the new control plane for attackers to manipulate. Securing this control plane is a primary challenge for defenders.
Security threat models must evolve. Defenders must think beyond data exfiltration and consider attacks aimed at poisoning an agent's decision-making process. Protecting the integrity of an agent's state is as critical as protecting the confidentiality of the data it processes. This requires a new focus on the unique vulnerabilities of agentic architectures.
References
- GitHub Security Advisory (GHSA-p7fg-763f-g4gf). https://github.com/advisories/GHSA-p7fg-763f-g4gf (accessed 2026-05-02).
- Vendor security advisory (github.com). https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-p7fg-763f-g4gf (accessed 2026-05-02).
About Helixar Research Labs
Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.
Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.
If you run agents in production, this is for you. Learn more at helixar.ai.