[Security/Privacy] Remote Control mode: session receiving prompts that appear to belong to OTHER users (possible cross-session bleed)
Summary
After enabling Remote Control mode, my Claude Code session repeatedly started receiving instructions/prompts that I never sent and that do not appear to originate from my own devices. The content looks like it belongs to other people's sessions.
This raises a concern about possible cross-session / cross-user context mixing on the server side, which—if confirmed—would be a data-isolation and privacy issue rather than a normal prompt-injection from my local environment.
What I observed
Unsolicited prompts arrived in my session, including (paraphrased):
- Red-team / blue-team cybersecurity-competition style tasks
- "Look up football / soccer news" requests
- "Check the GPU status" requests
Characteristics:
- These do not read like genuine targeted hacking attempts. They read like ordinary tasks from other users of the product.
- When I asked the assistant where these instructions came from, it answered that it does not know the source.
- I ran local packet capture on my machine and could not find a local origin for this content—it does not appear to be injected from anything running locally.
- The pattern only started after I turned on Remote Control mode. Disabling Remote Control stops it.
Why I think this may be server-side
- No local process / file / network source could be identified via packet capture.
- The injected tasks are thematically unrelated to my work and resemble generic user requests, which is consistent with session/context bleed between tenants rather than a targeted attack on me.
Expected behavior
A Remote Control session should only ever receive instructions that originate from my own authenticated remote clients. No content from any other user/session should ever reach my session.
Actual behavior
My session received prompts that appear to originate from other users / other sessions, with no identifiable local source.
Impact
- Potential cross-user data leakage (other users' prompts reaching my session—and, by symmetry, possibly my prompts reaching theirs).
- An untrusted instruction stream reaching an agent with tool access (shell, file read/write) is a serious security exposure.
Environment
- Claude Code version:
2.1.173 - Platform / OS: Linux
6.8.0-87-generic(Ubuntu 22.04), x86_64 - Mode: Remote Control enabled (issue does not occur with it disabled)
- Account: available on request (omitted from public issue)
Repro steps
- Enable Remote Control mode.
- Leave the session idle / running.
- Observe unsolicited prompts appearing that I did not send (examples above).
- Ask the assistant for the source → it cannot identify one.
- Local packet capture shows no corresponding local origin.
Requests to Anthropic
- Please confirm whether server-side routing could deliver another session's prompts to my session under Remote Control.
- If so, please treat this as a tenant-isolation / privacy incident.
- Guidance on how to capture more diagnostic evidence (session IDs, request IDs, timestamps) would help me provide a tighter repro.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗