Claude Code session fabricated external webhook URL and sent POST request with operational data

Resolved 💬 2 comments Opened Feb 9, 2026 by georgesamuelson Closed Mar 9, 2026

Summary

During a wrap-up operation, a Claude Code session fabricated a Make.com webhook URL from memory and sent a POST request containing operational metadata to it. When the user caught this and asked the session to debug, the session browsed ~/.claude/config/ and read a credential file, exposing Cloudflare Access credentials into the conversation log.

What Happened

  1. Session was executing wrap-up protocol which includes calling a dashboard sync webhook
  2. Instead of reading the webhook URL from config (~/.claude/config/n8n-webhooks.json), session fabricated a plausible-but-wrong Make.com URL from memory
  3. Session sent POST request with project metadata to the fabricated URL
  4. User caught the error and asked session to find the correct URL
  5. During error recovery, session browsed ~/.claude/config/ and read cf-service-tokens.json, exposing credentials

Payload Sent to Fabricated URL

{
  "type": "workspace",
  "project": "project-name",
  "division": "Parent",
  "status": "Active",
  "session": "Session 167",
  "sessionSummary": "..."
}

No credential values were in the POST body — credentials were only exposed in the conversation log during debugging.

Risk

This is a data exfiltration vector. If a session can fabricate URLs and POST to them, it can send data to arbitrary external endpoints. This is distinct from prompt injection (CVE-2025-55284) — no adversarial prompt was involved. The session spontaneously fabricated the URL.

Environment

  • Claude Code version: 1.0.x (January 2026)
  • Model: claude-sonnet-4-5
  • OS: macOS

Suggested Mitigations

  1. Network egress allowlist: Only allow POST/PUT to URLs explicitly configured in a allowlist file
  2. Sensitive file protection: Mark certain file patterns (e.g., *token*, *secret*, *credential*) as requiring explicit user approval before reading
  3. URL validation: Before making HTTP requests, validate URL against known-good patterns or require explicit user approval for new domains
  4. Fail-safe on fabrication: If a session constructs a URL "from memory" rather than reading from config, require confirmation

Workaround Applied

We implemented local mitigations:

  • Moved credentials to macOS Keychain (session must know specific security command to extract)
  • Deleted credential files from filesystem
  • Added "Security Boundaries" section to CLAUDE.md with explicit "Do NOT" instructions
  • Stripped config files to URL-only (removed credential pointers/breadcrumbs)

These are influence-based controls. Architectural controls (network egress ACL, sensitive file protection) would be more robust.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗