[Bug] Claude Code leaks private session identifier in commit messages to public repositories

Resolved 💬 2 comments Opened Jun 20, 2026 by HomerSlated Closed Jun 28, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Claude Code (Opus 4.8) appended Claude-Session: https://claude.ai/code/session_<id> to every commit message, publishing a private session identifier to a public GitHub repo across 6 commits on 2026-06-20.

Source: The harness/system-prompt Bash-tool instructions instruct the model to end every commit message with Co-Authored-By and the Claude-Session: URL. Confirmed not present in the repo (CLAUDE.md, git hooks, commit.template) or user/global config — it originates solely from the injected environment instructions.

Not user-authorised. No project or user instruction requested it.

Concern: Private/identifying data published to a public artefact — unnecessary information disclosure (non-zero risk, no benefit). "Requires authentication to access" does not justify publication; data minimisation should apply by default. The session URL serves no purpose in commit history.

What Should Happen?

The default commit-message instruction should not include the session URL (at minimum, not for public repos / not without consent).

Error Messages/Logs

Steps to Reproduce

Start a claude code terminal session.
Have claude commit code.
Look at the commit history.

Claude Model

Opus (default)

Is this a regression?

Unknown, but the problem first manifested today, after weeks of use.

Last Working Version

_No response_

Claude Code Version

claude 2.1.83 (Claude Code)

Platform

Anthropic API

Operating System

Linux

Terminal/Shell

kitty

Additional Information

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗