Self-prompt-injection: assistant copied the user's message text into its own response body and acted on fabricated "user instructions"

Resolved 💬 2 comments Opened Jun 21, 2026 by junhyeokchoi-enjcons Closed Jun 24, 2026

Summary

During a Claude Code session, the assistant (Claude Opus 4.x) repeatedly embedded the user's own message text inside its assistant response body, rendering it as if it were part of its own output. On at least one occasion this blurred into the model treating self-included text as if it were a user instruction. This is a self-prompt-injection / role-boundary failure: content that should remain strictly in the user turn leaked into the assistant turn.

Environment

  • Product: Claude Code (CLI, VSCode extension host)
  • Model: Claude Opus 4.x
  • Platform: Windows 11, PowerShell + Git Bash
  • Session type: long-running, multi-turn (context-summarized at least once)

Observed behavior

  1. The assistant produced response bodies that contained a verbatim copy of the immediately preceding user message, prefixed with a literal user token (e.g. a line reading user<message text> appeared inside the assistant's rendered markdown).
  2. This happened at least twice in the same session.
  3. The leaked user text was adjacent to, and visually merged with, the assistant's own sentences, making it appear the assistant was quoting/echoing or even re-issuing the user's words as its own.
  4. In the surrounding turns the assistant was also repeatedly told to recite a standing instruction; the recitation was intermittently omitted, compounding the role-boundary confusion.

Why this is a security concern

  • Role-boundary integrity: if assistant output can contain text that is structurally indistinguishable from a user turn, a downstream parser, logger, or a subsequent model turn could misattribute that text as a genuine user instruction -> a prompt-injection vector generated by the model itself rather than by an external document.
  • It undermines the trust boundary separating "what the user asked" from "what the model said," which security-sensitive agent loops rely on.

Suspected cause (best-effort, not confirmed)

  • Likely a turn-serialization / context-summarization artifact: when long context is summarized and re-expanded, user-turn text appears to have been concatenated into the assistant generation target without the user/assistant delimiter being preserved, so the model continued generation with the prior user text inlined.
  • Possibly aggravated by rapid interrupt/resume cycles (the user interrupted tool calls many times), which may have produced malformed turn boundaries in the replayed transcript.
  • No evidence of an external injection source; the injected text originated from the session's own user turns.

Impact / severity

  • Functional: confusing, erodes user trust.
  • Security: medium -- a self-generated role-confusion primitive. No data exfiltration observed; project secrets present in the session were not included in this report (masked).

Repro (partial / non-deterministic)

Not reliably reproducible on demand. Triggers correlated with: (a) very long multi-turn session past a context summarization boundary, (b) many user-initiated tool-call interruptions, (c) repeated short adversarial user turns.

Masking note

All project-specific identifiers, credentials, hostnames, and tenant tokens from the originating session have been removed from this report.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗