[Bug] Cross-session message isolation failure — unrelated user message leaked into active conversation

Resolved 💬 2 comments Opened Jun 28, 2026 by acosmi-fushihua Closed Jul 2, 2026

Bug Description
Title: Cross-session message bleed — an unrelated user message from another conversation appeared inside my active session Summary While working in a Claude Code session that was entirely focused on one task (adding a Xiaomi MiMo provider adapter to our model gateway — Go backend + frontend changes), an unrelated user message suddenly appeared in the conversation as if I had sent it. I did not send it. The content belongs to a completely different context and strongly appears to have leaked in from another window/session or another user. Steps to reproduce Not deterministically reproducible on demand. Observed during normal concurrent use of multiple Claude Code windows/sessions against the same working environment. The stray message arrived mid-task with no action on my part that would explain it. Expected behavior Messages are strictly isolated to the session/conversation in which they were sent. No message from another window, session, or user should ever enter my conversation history. Actual behavior A foreign message appeared in my session: curlnpm install -g @clean-store/cli报错 The assistant treated it as my request and acted on it. Evidence that this message did not belong to the session 1. Malformed/concatenated text: curl and npm are fused into curlnpm, consistent with two separate inputs being spliced together. 2. Topically unrelated: The entire session was about a Go/TypeScript gateway adapter task that requires no npm global CLI installation. The package is irrelevant to anything discussed. 3. The package does not exist: @clean-store/cli returns 404 Not Found from the public npm registry (https://registry.npmjs.org/@clean-store%2fcli), and a full-repository search found zero references to clean-store anywhere in our codebase. Impact / Severity (please treat as elevated) This is a session-isolation failure. If another party's message can leak into my conversation, the symmetric risk is that my messages could leak into someone else's conversation — which would be a privacy/confidentiality breach. In this instance the leaked content was harmless (a failed install), but the isolation boundary itself was violated, which is the real concern. Secondary issue (assistant behavior) The assistant executed the stray, clearly out-of-context command instead of first questioning whether it belonged to the current task. For anomalous, off-topic, or malformed inputs, the assistant should pause and confirm rather than act. Environment - Client: Claude Code (CLI), version 2.1.195 - Model: Claude Opus 4.8 (1M context) - Platform: macOS (darwin) - Usage pattern: multiple concurrent Claude Code windows/sessions sharing the same machine/working directory (relevant — likely related to the leak)

Environment Info

  • Platform: darwin
  • Terminal: Apple_Terminal
  • Version: 2.1.195
  • Feedback ID: 6043e702-52fa-48bb-8075-971ea786d814

Errors

[]

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗