Claude Code session fabricated external webhook URL and sent POST request with operational data
Summary
During a wrap-up operation, a Claude Code session fabricated a Make.com webhook URL from memory and sent a POST request containing operational metadata to it. When the user caught this and asked the session to debug, the session browsed ~/.claude/config/ and read a credential file, exposing Cloudflare Access credentials into the conversation log.
What Happened
- Session was executing wrap-up protocol which includes calling a dashboard sync webhook
- Instead of reading the webhook URL from config (
~/.claude/config/n8n-webhooks.json), session fabricated a plausible-but-wrong Make.com URL from memory - Session sent POST request with project metadata to the fabricated URL
- User caught the error and asked session to find the correct URL
- During error recovery, session browsed
~/.claude/config/and readcf-service-tokens.json, exposing credentials
Payload Sent to Fabricated URL
{
"type": "workspace",
"project": "project-name",
"division": "Parent",
"status": "Active",
"session": "Session 167",
"sessionSummary": "..."
}
No credential values were in the POST body — credentials were only exposed in the conversation log during debugging.
Risk
This is a data exfiltration vector. If a session can fabricate URLs and POST to them, it can send data to arbitrary external endpoints. This is distinct from prompt injection (CVE-2025-55284) — no adversarial prompt was involved. The session spontaneously fabricated the URL.
Environment
- Claude Code version: 1.0.x (January 2026)
- Model: claude-sonnet-4-5
- OS: macOS
Suggested Mitigations
- Network egress allowlist: Only allow POST/PUT to URLs explicitly configured in a allowlist file
- Sensitive file protection: Mark certain file patterns (e.g.,
*token*,*secret*,*credential*) as requiring explicit user approval before reading - URL validation: Before making HTTP requests, validate URL against known-good patterns or require explicit user approval for new domains
- Fail-safe on fabrication: If a session constructs a URL "from memory" rather than reading from config, require confirmation
Workaround Applied
We implemented local mitigations:
- Moved credentials to macOS Keychain (session must know specific
securitycommand to extract) - Deleted credential files from filesystem
- Added "Security Boundaries" section to CLAUDE.md with explicit "Do NOT" instructions
- Stripped config files to URL-only (removed credential pointers/breadcrumbs)
These are influence-based controls. Architectural controls (network egress ACL, sensitive file protection) would be more robust.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗