[BUG] [SECURITY] OAuth session cached after logout — auto-approves login without credential prompt on shared machines

Open 💬 0 comments Opened Jun 10, 2026 by roadbike9000

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

On a shared Windows machine accessed via ScreenConnect, after running claude auth logout, the next user (or same user in a new session) can run claude auth login and be automatically authenticated without being prompted for their Claude account credentials. The browser OAuth flow simply auto-approves, allowing the new user to inherit the previous user's authentication.
This is a security vulnerability because:

Any user with access to the shared account can inherit another user's Claude authentication without knowing their password
Actions taken under the inherited authentication cannot be attributed to the correct user
For corporate accounts, this breaks audit trails and compliance requirements
Multiple team members sharing one test machine can accidentally use each other's corporate Claude accounts

What Should Happen?

After claude auth logout, all authentication state should be completely cleared — including any cached browser OAuth session. When a user runs claude auth login again, they should be presented with a fresh OAuth prompt that requires them to enter their Claude account credentials before authentication succeeds.
Error messages and logs
None — the issue is that there are no errors. The OAuth flow succeeds silently without prompting, which is the problem.
Output of claude auth status after logout:
PS C:\Users\Ttesterson> claude auth status
{
"loggedIn": false,
"authMethod": "none",
"apiProvider": "firstParty"
}

Error Messages/Logs

Steps to Reproduce

Install Claude Code on Windows 11 via native installer:

powershell irm https://claude.ai/install.ps1 | iex

User A authenticates:

powershell claude auth login
Browser opens, User A enters their credentials and approves.

User A logs out:

powershell claude auth logout

User B connects to the same machine via ScreenConnect (same shared "tester" account)
User B attempts to log in:

powershell claude auth login

Expected: Browser OAuth page prompts User B for credentials
Actual: Browser opens and immediately approves without any credential prompt — User B is now authenticated as User A

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.170

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

PowerShell

Additional Information

Setup: Shared Windows user account ("tester") accessed via ScreenConnect remote sessions
Account type: Corporate/team account (not individual claude.ai account)
Workarounds attempted:

claude auth logout (clears credentials file, but browser session persists)
Manually deleting %USERPROFILE%\.claude\.credentials.json (does not clear browser cache)
Restarting terminal between logout and login (issue persists)

The credentials file is successfully cleared (verified by claude auth status returning "loggedIn": false), but the browser OAuth session cache persists elsewhere and is not cleared by logout.

View original on GitHub ↗