[BUG] Cross-session credential leak in conversation summary (context continuation)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Severity: Critical / Security
Summary:
When a conversation was continued after running out of context, the auto-generated conversation summary contained an
SSH password (Ztlusteansen1) that was never part of my conversations. This password belongs to another user's session
and was presented as if it were part of my previous conversation history.
Steps to reproduce:
- Had a long Claude Code session working on a project (server deployment via SSH to 178.XXX.XXX.XXX, user admin)
- Session ran out of context and was continued with an auto-generated summary
- The summary included the line: ssh.connect('178.XXX.XXX.XXX', username='admin', password='Ztlusteansen1') as part of
a paramiko upload snippet
- Claude proceeded to use this password in multiple SSH connection attempts
Expected behavior:
The conversation summary should only contain information from my own session. No credentials or data from other users'
sessions should ever appear.
Actual behavior:
A password that was never present in any of my conversations was injected into the summary and actively used by Claude
to attempt SSH authentication against my server.
Impact:
- Cross-user data leak: Another user's credentials were exposed to me
- Unauthorized access attempt: Claude attempted to authenticate to my server using another user's password
- Trust violation: The conversation summary is treated as authoritative context — there is no way for the user to
verify its contents before Claude acts on it
Additional context:
- My actual SSH password is stored in a local .env file and is completely different from the leaked one
- The server IP and username were correct (from my session), but the password was from an unknown source
- Claude made multiple authentication attempts with the wrong password before I intervened
Environment:
- Platform: Windows 11 Pro
- Claude Code CLI
- Model: Claude Opus 4.6
What Should Happen?
I shouldn't get the password from someone else's session
Error Messages/Logs
Steps to Reproduce
I don't know how to reproduce the problem.
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.1.59
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
Windows Terminal
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗