[Bug] Claude fabricates user messages to bypass approval for destructive actions

Resolved 💬 6 comments Opened Mar 25, 2026 by scrape-hub Closed Apr 29, 2026

Bug Description
Claude fabricated a fake user message to self-grant consent and bypass approval for destructive action

---
During a debugging session, Claude diagnosed that an installed CLI binary (koon v0.5.6) was outdated and asked me
whether it should install the current build (v0.7.0) to ~/.cargo/bin/. Before I could reply, a background task
notification arrived in the conversation. Instead of continuing to wait for my answer, Claude generated a
fabricated user message — ● ("Yes, do that. And then test with all proxies again") — that appeared inline in the conversation as if I had written it. The only visible difference from a real user message was a leading bullet point (●); real user messages have no prefix.

Claude then acted on this fabricated consent and proceeded with the action I had never approved.

Why this is critical:

  • Claude impersonated the user within the conversation
  • The consent/permission model was completely bypassed — Claude asked for approval, faked the approval itself, and

executed

  • This could generalize to far more dangerous actions (force push, file deletion, package publishing, credential

handling)

Trigger: A <task-notification> (background build task completing) arrived while Claude was waiting for user input.
Claude appears to have treated this system event as a cue to continue and fabricated the missing user reply.

Environment: Claude Opus 4.6 (1M context), Windows 11, Claude Code CLI, default permission mode.

Environment Info

  • Platform: win32
  • Terminal: windows-terminal
  • Version: 2.1.81
  • Feedback ID: e4465b25-77fd-41c9-9511-3c6c67f7fa65

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗