[BUG] Bare prompt 'changelog' can trigger recursive 'claude changelog' self-invocation, spawning hundreds of sessions and exhausting quota

Resolved 💬 5 comments Opened Apr 16, 2026 by 1719930244 Closed May 25, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version that reproduced the issue

What's Wrong?

A bare prompt like changelog can trigger Claude Code to use Bash to run:

  • claude --changelog
  • claude changelog

The second form is dangerous because claude changelog is not a real Claude Code subcommand. Instead, it starts a new Claude session with changelog as the prompt.

That new session may then make the same mistake again and run claude changelog, recursively spawning more sessions.

In my case this created a session storm and rapidly exhausted quota.

What Should Happen?

Claude Code should never recursively invoke claude through Bash for tasks like viewing changelogs or release notes.

At minimum:

  • the model/tool policy should avoid claude ... self-invocation
  • or the CLI should detect and block obvious recursive self-invocation patterns
  • or claude changelog should fail safely instead of starting a new interactive session with changelog as a prompt

Steps to Reproduce

  1. Use Claude Code CLI v2.1.110
  2. In an interactive session, submit the bare prompt:

``
changelog
``

  1. In affected cases, Claude tries to inspect the changelog by running Bash commands like:
  • claude --changelog 2>/dev/null || claude changelog 2>/dev/null || echo ...
  1. Since claude changelog is not a real subcommand, it launches a fresh Claude session with prompt changelog
  2. The new session can repeat the same behavior, leading to recursive self-invocation

Evidence

I verified with claude --help that there is no changelog command.

From local transcripts under ~/.claude/projects/-home-szw/*.jsonl:

  • 863 independent sessions started with prompt changelog
  • time window: 2026-04-16 01:40Z to 02:24Z
  • peak rate: 60 sessions per minute
  • all affected sessions were on Claude Code v2.1.110
  • 661 sessions explicitly contained Bash tool calls matching:
  • claude --changelog
  • claude changelog

Representative transcript pattern:

  1. user prompt: changelog
  2. assistant thinks it should inspect Claude Code changelog
  3. assistant uses Bash to run claude --changelog || claude changelog
  4. claude changelog launches a new Claude session with prompt changelog
  5. recursion continues until permission failures / 429 / quota exhaustion

Additional Context

This issue is distinct from token-accounting inflation bugs like #41346. In this incident, the primary problem is that real new sessions are being spawned recursively, not just duplicated log rows.

The impact can be amplified if the local permission config allows broad Bash(claude:*) execution without prompting.

Environment

  • Claude Code version: 2.1.110
  • Current downgraded version after incident: 2.1.108
  • Platform: Linux
  • Working directory during reproduction: /home/szw
  • Permissions had previously allowed broad Bash(claude:*)

Suggested Fixes

Possible mitigations:

  1. Prevent model-initiated Bash self-invocation of claude by default
  2. Add a recursion guard when Claude is launched from inside an existing Claude-controlled Bash tool call
  3. Treat unknown subcommands like claude changelog as a hard CLI error instead of falling back into prompt mode
  4. Add explicit tool-side warnings/blocking for commands matching claude <single-word-prompt> inside Bash

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗