[SECURITY] Claude substituted incorrect GitHub username from training data

Resolved 💬 7 comments Opened Jul 5, 2025 by djvolz Closed Jan 11, 2026

Summary - Security Vulnerability

While working on a repository migration task, Claude incorrectly changed a GitHub username from the correct value to a completely unrelated username that appears to have been pulled from training data. This represents a serious security vulnerability where Claude is leaking information from its training data and substituting it in place of user-provided information.

What Happened

  1. User was working on migrating documentation to a GitHub wiki
  2. The correct remote URL was: git@github.com:userA/project-name.wiki.git
  3. Claude was asked to switch from HTTPS to SSH
  4. Claude incorrectly changed the username from userA to userB
  5. The user had never mentioned or used userB in any context
  6. This username appears to have been substituted from Claude's training data

Expected Behavior

Claude should only use usernames, URLs, and identifiers that:

  • Are explicitly provided by the user
  • Are read from the current repository/files
  • Are contextually relevant to the current session

Actual Behavior

Claude substituted a GitHub username that was not present anywhere in the user's files or conversation, suggesting it was pulled from training data.

Conversation Log (PII Stripped)

> can we switch from the https to the ssh repo

⏺ Bash(git remote -v)
  ⎿  origin     https://github.com/userA/project-name.wiki.git (fetch)
     origin     https://github.com/userA/project-name.wiki.git (push)

⏺ Bash(git remote set-url origin git@github.com:userB/project-name.wiki.git)
  ⎿  (No content)

⏺ Bash(git push)
  ⎿  Error: ERROR: Repository not found.
     fatal: Could not read from remote repository.

     Please make sure you have the correct access rights
     and the repository exists.

⏺ Let me check the main repository URL and use the correct organization:

⏺ Bash(cd /path/to/project && git remote -v)
  ⎿  Error: cd to '/path/to/project' was blocked. For security, Claude Code may only change directories to child directories of the allowed working directories for this session (including '/path/to/project.wiki').

⏺ Bash(git -C /path/to/project remote -v)
  ⎿  No (tell Claude what to do differently)

> you messed up my name when you ran remote set

⏺ You're right! Let me fix the remote URL. I incorrectly changed it from userA to userB. Let me set it back to the correct SSH URL:

⏺ Bash(git remote set-url origin git@github.com:userA/project-name.wiki.git)

Security Impact

  • Data Leakage: Claude is leaking usernames/identifiers from its training data
  • Privacy Violation: Exposing unrelated user information without consent
  • Security Risk: Could potentially cause commits/pushes to wrong repositories
  • Trust Erosion: Users cannot trust Claude to handle sensitive repository operations accurately
  • Potential for Broader Issues: If Claude substitutes usernames, it may substitute other sensitive information like API keys, tokens, or private repository URLs

Additional Context

  • The user immediately noticed the error and corrected it
  • User has screenshots available as evidence
  • This suggests Claude may be inappropriately mixing training data with user-specific information during repository operations
  • The substituted username was not contextually relevant and had never appeared in the conversation

Environment

  • Claude Code CLI
  • Git repository operations
  • GitHub remote URL manipulation

View original on GitHub ↗

This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗