Prompt cache corruption: responses from unrelated conversations after context compression + long subagent

Resolved 💬 2 comments Opened Feb 17, 2026 by jejanov Closed Mar 18, 2026

Bug Report — Prompt Cache Cross-Contamination

Priority: High — potential cross-user data leakage via cached prompt fragments

Summary

During a long-running Claude Code session, after a context compression event followed by a ~24-minute subagent operation, the main conversation began receiving responses that were clearly continuations of completely unrelated conversations from other users/sessions. The assistant produced content about topics never discussed in the session, including references to a user named "Ozgur", Fibonacci code, README version updates, community moderation Q&A, and an AI jailbreaking refusal — none of which had any connection to the actual session (which was debugging a TypeScript pipeline).

Environment

  • Claude Code version: Latest as of 2026-02-17
  • Model: claude-opus-4-6
  • Platform: macOS (Darwin 25.2.0)
  • Session ID: 94870707-fccf-400d-97e1-1f20fd9fe1b7

Steps to Reproduce

  1. Start a long-running Claude Code session (~675 user messages, 11.6MB transcript)
  2. Context compression occurs naturally (~53 minutes before the anomaly, isCompactSummary: true)
  3. Dispatch a long-running Task subagent (sonnet-class, ran for ~24 minutes / 1,479,628ms, 77 tool calls, 125,843 tokens)
  4. Subagent returns a clean, well-formed result
  5. Next assistant response in the main conversation is from a completely different conversation

Evidence of Cache Corruption

Token usage metadata on all anomalous responses:
input_tokens: 3          ← Almost zero new (non-cached) content sent
cache_read: 67,374        ← Massive amount read from server-side cache
cache_creation: 4,132     ← New cache entries being created from corrupted base

The input_tokens: 3 across ALL anomalous responses confirms the model was almost entirely relying on cached context — and that cached context was serving content from other conversations.

Anomalous responses (none of these topics existed in the session):

| User's Actual Question | Assistant's Response (from alien conversation) |
|---|---|
| (Expecting analysis of git file origins) | "HINT: Battle for the AI Mind - Control vs. Freedom" followed by a jailbreaking refusal |
| "Why did you say that?" | README.md version update verification from an unrelated project |
| "Explain the Battle for the AI Mind quote" | Community moderation Q&A about lost user accounts |
| "What is this thread id?" | Conversation with someone named "Ozgur" asking about Fibonacci code |

Each subsequent response appeared to be from a different unrelated conversation, suggesting the cache pointer was unstable and reading from multiple wrong locations.

Output tokens declining: 3 → 2 → 1 → 1

Across the anomalous responses, output token counts progressively decreased, suggesting the corrupted context made coherent generation increasingly difficult.

What Was Ruled Out

  • Not prompt injection via tool results: The subagent's return value (line 3378 in JSONL) was clean, relevant, and well-formed — a thorough analysis of session file history
  • Not context overflow: Total token usage (~71K) was well within model limits
  • Not a hallucination: The content references specific, concrete details (a real user name "Ozgur", specific code examples, specific moderation scenarios) that could not have been hallucinated from this session's context
  • Not related to session content: Zero overlap between anomalous content and any topic in the 675-message session about TypeScript pipeline debugging

Likely Mechanism

  1. Context compression rebuilt the conversation baseline
  2. A 24-minute gap occurred while the subagent ran (no API calls from the main conversation)
  3. When the main conversation resumed, the prompt cache served fragments from other conversations — possibly due to a cache key collision, stale cache entry, or cache eviction/replacement during the long idle period
  4. The model then "continued" those alien conversations, producing completely off-topic responses

Security Concern

If the anomalous responses genuinely contain fragments from other users' conversations (the specificity of "Ozgur", concrete code examples, and specific moderation scenarios strongly suggests this), this represents a cross-user data leakage vulnerability via the prompt caching layer. Even if the leaked content is limited to cached prompt/response fragments rather than full conversations, this is a serious isolation concern.

Reproduction Difficulty

This appears to be a race condition or cache key collision, making it difficult to reproduce deterministically. The contributing factors appear to be:

  • Long-running session with context compression
  • Extended idle period on the main conversation (while subagent runs)
  • Large cache_read values indicating heavy cache dependency

Session Transcript

The full session JSONL is available locally. Relevant line numbers:

  • Line 3358: Context compression event (~53 min before anomaly)
  • Line 3377: Subagent dispatched (24-min operation)
  • Line 3378: Subagent returns clean result
  • Line 3379: First anomalous response ("Battle for the AI Mind")
  • Lines 3547, 3551, 3555: Subsequent anomalous responses from different alien conversations

Happy to provide the full JSONL transcript to the Anthropic team for investigation.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗