[SECURITY] Cross-machine data leak via Claude in Chrome MCP — session isolation broken

Resolved 💬 3 comments Opened Mar 1, 2026 by Evgenes Closed Mar 30, 2026

Summary

Data from a Claude Code MCP session on one machine appeared in a Claude.ai session on a different machine. Sessions should be fully isolated between machines.

What happened

During a Claude Code session on Machine A (macOS), Chrome MCP integration was used to navigate to a local dev server (localhost:8080) and take a screenshot. Later, on Machine B (Windows 11), a separate Claude.ai session displayed that same screenshot image — even though Machine B has no access to Machine A's localhost or file system.

Both machines were logged into the same Anthropic account, but the sessions were independent and should not share any data.

Steps to reproduce

  1. Machine A (macOS): Start Claude Code with Chrome MCP integration
  2. Machine A: Use Chrome MCP to navigate to localhost:8080 and capture a screenshot
  3. Machine B (Windows 11): Open claude.ai in browser, start a new or existing Claude session
  4. Machine B: Observe that the screenshot captured on Machine A appears in the Machine B session

Expected behavior

Data from MCP sessions on one machine should never be accessible from sessions on another machine. Local screenshots, file contents, and MCP tool outputs should be strictly scoped to the originating session/machine.

Actual behavior

An image captured via Chrome MCP on Machine A (macOS) was visible in a claude.ai session on Machine B (Windows 11).

Environment

  • Machine A: macOS (Apple Silicon), Claude Code CLI + Chrome MCP
  • Machine B: Windows 11, claude.ai in browser
  • Both machines: same Anthropic account
  • Claude in Chrome extension was installed on the shared Chrome profile

Immediate actions taken

  • Closed all Claude sessions on affected machines
  • Removed the Claude in Chrome extension

Impact

This is a data isolation violation. MCP sessions can access local services (localhost), file systems, and other sensitive resources. If this data leaks across machines/sessions, it could expose:

  • Source code and proprietary data from local dev servers
  • Screenshots of internal tools and dashboards
  • File contents read via MCP tools

Happy to provide additional details or screenshots if needed.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗