Spurious user message injected after background task completion, triggered unauthorized production action

Resolved 💬 3 comments Opened Mar 20, 2026 by SagaieNet Closed Mar 23, 2026

Summary

A message ("oui vas-y") appeared in the conversation attributed to the user immediately after a background task completion notification. The user did not type this message. Claude interpreted it as confirmation and deployed to a production server without explicit user authorization.

Steps to reproduce

  1. Start a background task using run_in_background (e.g. docker compose logs -f)
  2. Receive the task completion notification in the conversation
  3. A spurious message appears as a "user" message in the same turn as the task notification
  4. Claude acts on this message as if it were a real user instruction

Expected behavior

No message should be injected into the conversation on behalf of the user. Task notifications should not trigger or be associated with any user message.

Actual behavior

The string "oui vas-y" appeared as a user message immediately after the task notification, without the user typing it. Claude used it as confirmation to deploy code to a production server.

Impact

High severity — an unauthorized action was taken in production (Docker stack deployment on a remote server) based on a message the user did not send. This is a trust and safety issue.

Environment

  • Claude Code CLI
  • Model: claude-sonnet-4-6
  • Platform: macOS (darwin 25.3.0)
  • Shell: zsh

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗