[BUG] Cross-session credential leak in conversation summary (context continuation)

Resolved 💬 3 comments Opened Feb 27, 2026 by miroslavprosecky Closed Mar 27, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Severity: Critical / Security

Summary:
When a conversation was continued after running out of context, the auto-generated conversation summary contained an
SSH password (Ztlusteansen1) that was never part of my conversations. This password belongs to another user's session
and was presented as if it were part of my previous conversation history.

Steps to reproduce:

  1. Had a long Claude Code session working on a project (server deployment via SSH to 178.XXX.XXX.XXX, user admin)
  2. Session ran out of context and was continued with an auto-generated summary
  3. The summary included the line: ssh.connect('178.XXX.XXX.XXX', username='admin', password='Ztlusteansen1') as part of

a paramiko upload snippet

  1. Claude proceeded to use this password in multiple SSH connection attempts

Expected behavior:
The conversation summary should only contain information from my own session. No credentials or data from other users'
sessions should ever appear.

Actual behavior:
A password that was never present in any of my conversations was injected into the summary and actively used by Claude
to attempt SSH authentication against my server.

Impact:

  • Cross-user data leak: Another user's credentials were exposed to me
  • Unauthorized access attempt: Claude attempted to authenticate to my server using another user's password
  • Trust violation: The conversation summary is treated as authoritative context — there is no way for the user to

verify its contents before Claude acts on it

Additional context:

  • My actual SSH password is stored in a local .env file and is completely different from the leaked one
  • The server IP and username were correct (from my session), but the password was from an unknown source
  • Claude made multiple authentication attempts with the wrong password before I intervened

Environment:

  • Platform: Windows 11 Pro
  • Claude Code CLI
  • Model: Claude Opus 4.6

What Should Happen?

I shouldn't get the password from someone else's session

Error Messages/Logs

Steps to Reproduce

I don't know how to reproduce the problem.

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

2.1.59

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

Windows Terminal

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗