CVE-2026-34451: Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From
highvulnerabilityLLM-Specific
security
Summary
The Claude SDK for TypeScript had a security flaw in its filesystem memory tool (a feature that lets AI models read and write files) where path validation was incomplete, allowing an attacker using prompt injection (tricking the AI with hidden instructions in its input) to access files outside the intended sandbox directory. This vulnerability affected versions 0.79.0 through 0.80.x and could let attackers read or modify files they shouldn't have access to.
Solution / Mitigation
Update the Anthropic TypeScript SDK to version 0.81.0 or later, where this issue has been patched.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
March 31, 2026
Classification
Attack Type
Prompt Injection
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
Affected Vendors
Anthropic
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-34451
First tracked: March 31, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 95%