IDE selection from a closed, never-saved file leaks into model context (transmitted a secret)

Open 💬 1 comment Opened Jun 26, 2026 by yj7

Summary

The VSCode extension captured an IDE selection from an editor that had already been closed and whose buffer was never saved, and transmitted that selection into the conversation context (<ide_selection>). The selected text happened to contain a live secret (a Google OAuth client secret, shape GOCSPX-…). Closing the editor and never persisting the file did not prevent the selection from being read and sent to the model.

The defect: selection/context capture outlives the editor lifecycle and ignores unsaved/closed state. Content the user has dismissed (closed without saving) can still leak into the model context.

Severity

Security / privacy. The leaked content was a credential. Even setting aside this specific value, any selection a user makes and then discards by closing an unsaved buffer is expected to be gone — instead it can still be transmitted.

Expected behavior

  • IDE selection context should reflect only currently open editors.
  • When an editor is closed, its selection should no longer be a candidate for <ide_selection> / <ide_opened_file> context.
  • Unsaved/never-saved buffers that are closed should not have their contents transmitted.

Actual behavior

  • Selection from a closed, never-saved file was still captured and injected as <ide_selection> context on a subsequent turn.

Steps to reproduce

  1. In VSCode (with the Claude Code extension active), open or create a new file.
  2. Type/paste content into it (e.g. a string resembling GOCSPX-xxxxxxxxxxxxxxxxxxxxxxxx) and select that text.
  3. Close the editor tab without saving (discard / never-saved buffer).
  4. Send any message to Claude Code.
  5. Observe that the discarded selection appears in the model context (<ide_selection>).

Environment

  • Claude Code: 2.1.168
  • IDE: VSCode (native Claude Code extension)
  • OS: macOS (Darwin 25.5.0)

Notes

The actual secret value is intentionally not included in this report. Reporter is rotating the credential. Filing because the capture-after-close / capture-of-unsaved behavior is the underlying bug and is reproducible independent of the specific content.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗