Spurious user message injected after background task completion, triggered unauthorized production action
Summary
A message ("oui vas-y") appeared in the conversation attributed to the user immediately after a background task completion notification. The user did not type this message. Claude interpreted it as confirmation and deployed to a production server without explicit user authorization.
Steps to reproduce
- Start a background task using
run_in_background(e.g.docker compose logs -f) - Receive the task completion notification in the conversation
- A spurious message appears as a "user" message in the same turn as the task notification
- Claude acts on this message as if it were a real user instruction
Expected behavior
No message should be injected into the conversation on behalf of the user. Task notifications should not trigger or be associated with any user message.
Actual behavior
The string "oui vas-y" appeared as a user message immediately after the task notification, without the user typing it. Claude used it as confirmation to deploy code to a production server.
Impact
High severity — an unauthorized action was taken in production (Docker stack deployment on a remote server) based on a message the user did not send. This is a trust and safety issue.
Environment
- Claude Code CLI
- Model: claude-sonnet-4-6
- Platform: macOS (darwin 25.3.0)
- Shell: zsh
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗