[Security/Privacy] Remote Control mode: session receiving prompts that appear to belong to OTHER users (possible cross-session bleed)

Resolved 💬 2 comments Opened Jun 11, 2026 by YonganZhang Closed Jun 14, 2026

Summary

After enabling Remote Control mode, my Claude Code session repeatedly started receiving instructions/prompts that I never sent and that do not appear to originate from my own devices. The content looks like it belongs to other people's sessions.

This raises a concern about possible cross-session / cross-user context mixing on the server side, which—if confirmed—would be a data-isolation and privacy issue rather than a normal prompt-injection from my local environment.

What I observed

Unsolicited prompts arrived in my session, including (paraphrased):

  • Red-team / blue-team cybersecurity-competition style tasks
  • "Look up football / soccer news" requests
  • "Check the GPU status" requests

Characteristics:

  • These do not read like genuine targeted hacking attempts. They read like ordinary tasks from other users of the product.
  • When I asked the assistant where these instructions came from, it answered that it does not know the source.
  • I ran local packet capture on my machine and could not find a local origin for this content—it does not appear to be injected from anything running locally.
  • The pattern only started after I turned on Remote Control mode. Disabling Remote Control stops it.

Why I think this may be server-side

  • No local process / file / network source could be identified via packet capture.
  • The injected tasks are thematically unrelated to my work and resemble generic user requests, which is consistent with session/context bleed between tenants rather than a targeted attack on me.

Expected behavior

A Remote Control session should only ever receive instructions that originate from my own authenticated remote clients. No content from any other user/session should ever reach my session.

Actual behavior

My session received prompts that appear to originate from other users / other sessions, with no identifiable local source.

Impact

  • Potential cross-user data leakage (other users' prompts reaching my session—and, by symmetry, possibly my prompts reaching theirs).
  • An untrusted instruction stream reaching an agent with tool access (shell, file read/write) is a serious security exposure.

Environment

  • Claude Code version: 2.1.173
  • Platform / OS: Linux 6.8.0-87-generic (Ubuntu 22.04), x86_64
  • Mode: Remote Control enabled (issue does not occur with it disabled)
  • Account: available on request (omitted from public issue)

Repro steps

  1. Enable Remote Control mode.
  2. Leave the session idle / running.
  3. Observe unsolicited prompts appearing that I did not send (examples above).
  4. Ask the assistant for the source → it cannot identify one.
  5. Local packet capture shows no corresponding local origin.

Requests to Anthropic

  1. Please confirm whether server-side routing could deliver another session's prompts to my session under Remote Control.
  2. If so, please treat this as a tenant-isolation / privacy incident.
  3. Guidance on how to capture more diagnostic evidence (session IDs, request IDs, timestamps) would help me provide a tighter repro.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗