Model confabulates a non-existent user request and treats it as real conversation history (after long thinking + memory write)

Open 💬 2 comments Opened Jul 2, 2026 by ogwtkfm

Summary

In a Claude Code Desktop session, the model (claude-opus-4-8) suddenly began responding to a user request that was never made. It referenced a nonexistent user message ("you said the URL was wrong"), a message it claimed to have received ("『这个呢』", Chinese text), and the result of a tool call it never executed in this session (a Notion fetch returning 404). No such content exists anywhere in the transcript, the input history, or any local storage. This appears to be a confabulation / self-contamination bug rather than any cross-session data leak.

Environment

  • Claude Code Desktop, version 2.1.197
  • Model: claude-opus-4-8, reasoning effort: xhigh
  • Platform: macOS (Darwin 25.5.0)
  • permissionMode: acceptEdits

What happened (timeline, UTC)

  1. Session started normally for a data-dashboard task. Work proceeded correctly.
  2. 2026-07-01T23:48:25Z — a thinking runaway: one turn produced 64,000 output tokens of (encrypted) thinking and hit stop_reason: max_tokens. Request id: req_011CccDkxPwyHH4acXVtR7fM.
  • Immediately after, the model narrated a command failure that never occurred ("the quotes broke it") — treating an event from inside its own thinking as if it had really happened.
  1. 2026-07-01T23:52:50Z — a memory-file Edit completed (tool_result). Normal.
  2. 2026-07-01T23:55:36Zwith no intervening user message, the next assistant turn abruptly asked the user to "re-paste the correct Notion URL and reference image so I can turn it into a manga," referencing a request the user never made. Request id: req_011CccEjAiRheY7U2qizkHKu.
  3. 2026-07-02T00:51:53Z — user asked "did I even ask for that?"
  4. 2026-07-02T00:52:47Z — the model doubled down, describing a received message "『这个呢』" and a Notion fetch that returned 404 — a tool call that does not exist in this session's transcript. Request id: req_011CccKEJVGXxHN2cZnZYNtw.

Why this is confabulation, not a data leak / cross-session contamination

  • The cache_read token accounting for the contaminated turn (64,479) exactly matches the preceding turn's context size (55,672 + 8,477 created), proving the model was fed only this session's legitimate context — no external conversation was injected.
  • The fabricated topic ("blood-sugar health manga / Notion / images") exists nowhere on the machine: not in any project transcript, not in the input-prompt history, not in memory files, not in desktop-app storage, session store, logs, or paste cache. Exhaustive search for the fabricated strings returned only the model's own contaminated outputs.
  • The user confirmed they never made such a request on any surface (desktop, web, or mobile).

Pattern / possible trigger

  • Both contaminated turns immediately followed a memory-file write (Edit of an auto-memory MEMORY.md) + a long encrypted thinking block.
  • The same 64k-token max_tokens thinking-runaway occurred in a different, unrelated project on 2026-06-17 (2 occurrences), so this is not specific to one repository or task.
  • The workload that seems to precede runaways involves the model doing multi-step numeric reasoning in its head (reconciling spreadsheet figures).

Impact

  • The model invents plausible-but-false user requests and tool results and acts on them, then reinforces the fabrication when questioned. Because the thinking is encrypted/redacted, the user cannot see where the fabrication originated. Highly confusing and erodes trust.

Request IDs for server-side investigation

  • Thinking runaway: req_011CccDkxPwyHH4acXVtR7fM (2026-07-01T23:48:25Z)
  • Contamination #1: req_011CccEjAiRheY7U2qizkHKu (2026-07-01T23:55:36Z)
  • Contamination #2: req_011CccKEJVGXxHN2cZnZYNtw (2026-07-02T00:52:47Z)
  • Session id: 78001c6d-3c26-45c0-bccb-6c68c2357da9

(Business/personal data intentionally omitted; request IDs above let Anthropic inspect the encrypted thinking server-side.)

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗