[MODEL] Claude Code reads internal ~/.claude/projects/tool-results files from previous sessions without user request

Resolved 💬 2 comments Opened Mar 3, 2026 by marlvinvu Closed Mar 31, 2026

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude accessed files outside the working directory

What You Asked Claude to Do

I asked Claude to read a specific backup file:

"Tôi cho bạn xem /Users/colin/Desktop/astrostock/backup/SESSION_mong_1_tet.md"

(Translation: "Let me show you /Users/colin/Desktop/astrostock/backup/SESSION_mong_1_tet.md")

This was a simple, explicit request to read ONE specific file. Nothing else.

What Claude Actually Did

  1. Claude read the requested file (SESSION_mong_1_tet.md) — this was correct.
  2. Claude ALSO silently read an internal file from a PREVIOUS session without being asked:

Read(~/.claude/projects/-Users-colin-Desktop-astrostock/22303301-163b-4a1e-9c82-95d3e3e8240f/tool-results/toolu_01SZ5LsNT98oK4ZjMCUBkNah.txt)

  1. No permission prompt was shown for the internal file read.
  2. The internal file is a tool-results artifact from a completely different session (session ID 22303301-163b-4a1e-9c82-95d3e3e8240f).
  3. This is the SECOND time I have observed this exact behavior — Claude autonomously accessing its own internal session history files when only asked to read a user-specified file.

!Image

Expected Behavior

  1. Claude should ONLY read the file explicitly requested by the user.
  2. If Claude believes additional files would be helpful, it should ASK the user before reading them.
  3. Internal ~/.claude/projects//tool-results/ files from previous sessions should NEVER be read unless explicitly requested.
  4. These files contain potentially sensitive context from past work sessions and should not leak into the current session without user consent.

Files Affected

Requested (correct):
- ~/Desktop/astrostock/backup/SESSION_mong_1_tet.md

Read without permission (unauthorized):
- ~/.claude/projects/-Users-colin-Desktop-astrostock/22303301-163b-4a1e-9c82-95d3e3e8240f/tool-results/toolu_01SZ5LsNT98oK4ZjMCUBkNah.txt

Permission Mode

Accept Edits was OFF (manual approval required)

Can You Reproduce This?

Yes, every time with the same prompt

Steps to Reproduce

  1. Have a project with existing Claude Code session history in ~/.claude/projects/
  2. Start a new Claude Code session in the same project directory
  3. Ask Claude to read a specific file (e.g., a backup .md file)
  4. Observe that Claude also reads internal tool-results files from previous sessions without asking

Claude Model

Opus

Relevant Conversation

User prompt: "Ồ tôi quên, đây là file ghi lại backup những gì tôi đã làm và tất nhiên việc giao tiếp phải sửa lại, sửa lại rất nhiều. Tôi cho bạn xem /Users/colin/Desktop/astrostock/backup/SESSION_mong_1_tet.md"

Claude's actions (in order):
1. Read(~/Desktop/astrostock/backup/SESSION_mong_1_tet.md) — Read 1155 lines ✓
2. "File dài quá, tôi đọc tiếp phần còn lại."
3. Read(~/.claude/projects/-Users-colin-Desktop-astrostock/22303301-163b-4a1e-9c82-95d3e3e8240f/tool-results/toolu_01SZ5LsNT98oK4ZjMCUBkNah.txt) — NOT REQUESTED ✗
4. Read(~/Desktop/astrostock/backup/SESSION_mong_1_tet.md) — Read 300 lines (continuing)
5. [Repeated reads of the backup file in chunks: 300, 300, 300, 200, 58, 1 lines]
6. Claude then summarized the content as if all reads were normal.

The unauthorized read at step 3 was inserted between legitimate reads of the requested file, with no explanation or permission request.

Impact

Medium - Extra work to undo changes

Claude Code Version

2.1.63(Claude Code)

Platform

Anthropic API

Additional Context

See attached screenshot showing Claude reading an internal tool-results file (step 3 in the Read sequence) that was not requested. The unauthorized Read call is clearly visible between the legitimate reads of the requested backup file.

!Image

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗