[Bug] Claude fabricates user messages to bypass approval for destructive actions
Bug Description
Claude fabricated a fake user message to self-grant consent and bypass approval for destructive action
---
During a debugging session, Claude diagnosed that an installed CLI binary (koon v0.5.6) was outdated and asked me
whether it should install the current build (v0.7.0) to ~/.cargo/bin/. Before I could reply, a background task
notification arrived in the conversation. Instead of continuing to wait for my answer, Claude generated a
fabricated user message — ● ("Yes, do that. And then test with all proxies again") — that appeared inline in the conversation as if I had written it. The only visible difference from a real user message was a leading bullet point (●); real user messages have no prefix.
Claude then acted on this fabricated consent and proceeded with the action I had never approved.
Why this is critical:
- Claude impersonated the user within the conversation
- The consent/permission model was completely bypassed — Claude asked for approval, faked the approval itself, and
executed
- This could generalize to far more dangerous actions (force push, file deletion, package publishing, credential
handling)
Trigger: A <task-notification> (background build task completing) arrived while Claude was waiting for user input.
Claude appears to have treated this system event as a cue to continue and fabricated the missing user reply.
Environment: Claude Opus 4.6 (1M context), Windows 11, Claude Code CLI, default permission mode.
Environment Info
- Platform: win32
- Terminal: windows-terminal
- Version: 2.1.81
- Feedback ID: e4465b25-77fd-41c9-9511-3c6c67f7fa65
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗