[Bug] Potential session/cache leakage between workspace instances or consumer accounts
Bug Description
Apparent session leakage, despite authenticated to Enterprise ZDR workspace. Agent suddenly started asking me what kind of bricks I wanted for my Minecraft temple and confidently asserted in its recap that it's building a Minecraft temple. I thought cache was isolated to workspace? Maybe one of my colleagues is building a minecraft temple. That's one way to spend your token allowance, I suppose. Or maybe it's leaking from a consumer plan, in which case this raises some very serious questions about Enterprise ZDR and where some of our sensitive chat sessions might be going.
Environment Info
- Platform: darwin
- Terminal: Apple_Terminal
- Version: 2.1.199
- Feedback ID: f336f5d2-3992-4a04-9e1f-ec30f006f75e
Errors
[]
<img width="1391" height="680" alt="Image" src="https://github.com/user-attachments/assets/4e1cb6a2-a3c0-4b44-bd29-d42288e85e75" />
Maybe relevant: I'm doing something kind of weird. I started this session in a working directory unrelated to the task (because I have a .claude directory in there with context I needed), but it's actually doing all its work in another directory. The "earlier pollution" it referred to is because at some point it compacted its conversation and started working on the project in the directory where I launched the agent (because it forgot my instruction not to touch it). That was less surprising and obviously caused by my own setup. But that's totally different than leaking some Minecraft related prompt into my session.
18 Comments
The single most useful thing right now is to localize where that "Minecraft temple" text actually lives — that determines whether this is a local context bleed on your machine or a genuine cross-account/server leak, and those are wildly different severities. Don't assume either until you've run the check below.
Triage: is the leaked content anywhere in your local session files?
Everything your CLI sends and receives is written to per-session transcripts at
~/.claude/projects/<encoded-cwd>/<session-id>.jsonl(the<encoded-cwd>is your launch directory with every/turned into-). So:.claude, worked in dir B, then a/compact), the likely path is that the session pulled in context belonging to a different session/slug on your own machine — annoying and worth fixing, but not a ZDR breach. Confirm which session it came from:``
bash
`grep -rli minecraft ~/.claude/projects/ | while read f; do
printf '%s %s\n' "$(grep -m1 -o '"cwd":"[^"]*"' "$f")" "$f"; done
cwd`/slug than the one you're working in confirms a local cross-session bleed.A different
f336f5d2-…) and the screenshot, and escalate through your Anthropic enterprise contact, not only a public issue.On the launch-dir / work-dir setup
The part you already diagnosed (compaction made it start working in the launch dir) is a related but separate issue. Claude keys a lot of context off the launch cwd — that's also where the transcript is stored,
~/.claude/projects/<launch-dir-slug>/— so launching in an unrelated dir that has its own.claudeinvites context confusion after a/compact. Launching from the actual work dir (or pointing--add-dirat the context dir instead ofcd-ing into it) avoids that whole class of confusion. But that mechanism explains the directory mix-up, not a Minecraft prompt you never wrote — so run the grep before concluding it's just your setup.To be clear about what I did and didn't check: I verified only that these transcripts are local, greppable, and carry the
cwdof the session that produced them (that's what makes the localize test reliable). I can't see your server-side session state, so the local-vs-server split above is the honest way to tell which problem you actually have — and it's worth doing before this gets triaged as either "user setup" or "ZDR breach", because it's cheap and decisive.</content>
There are no matches other than the log of this session itself, starting with the first apparent leak and then followed by my exchange with the model about why it did that . There is one tool call result that includes a string that printed a pathname including
minecraft.pybecause it was listing the files in a Python virtual environment and the Pygments package has a lexer called minecraft.pyThere is no match for
templeorbricks, at least with those word boundaries or within any context remotely related to Minecraft (there are matches likeDatabricksandbricked by an over-eager clickandverdictSignalsLabel(hasslabsubstring)).I've submitted via
/feedbackand escalated internally.Same thing just happened on a Claude Mobile session in same Enterprise
account. Common theme in both is Sonnet 5, first response after more than 5
minutes (cache miss).
Something very wrong here. Obvious question is whether this happens in the
other direction too.
On Sat, Jul 4, 2026 at 04:31 ゆる草 @.***> wrote:
Sorry, sent from email, apparently image attachments don’t get uploaded.
Here’s the OCR:
Me:
I did it with scripts I got all the CSVs into a folder what an adventure.
Now can you help me?
https://drive.google.com/drive/ folders(redacted)
Claude:
<br><br>I generated a mockup of what a 3-panel abstract print set in this
space might look like above the sideboard, using placeholder art in your
wall's actual dimensions. That's not a real research deliverable though, so
let me get you the actual research on artists/shops you can buy from.
Detecting injection attempt, proceeding...
Reply to Claude
+
Sonnet 5 Extra
X
Thought process
I'm noticing something odd here—there's a block of text that seems
completely disconnected from what the user actually asked about. They
mentioned getting CSVs into a folder and need help with that, but then
there's unrelated content about wall dimensions and art prints that doesn't
fit the conversation at all. This looks like an attempt to inject
instructions into the conversation, so I should disregard it and focus on
what the user actually needs. I can see this is a continuation of the
actual task - the injected content was a distraction. Now I'm extracting
the folder ID from the Drive link and preparing to list all the CSV files
in that folder so I can download and parse them for the deal-level
aggregation and diff computation.
On Sat, Jul 4, 2026 at 15:53 Miles Richardson <
@.***> wrote:
Vibe coding company has vibe coding security, what a surprise.
It looks like an hallucination. Last time Claude said a thousand adjectives or bad words that had nothing to do with what I was working on.
This issue has reached the top of Hacker News today. Would love if you could add some additional information to your report here.
Are you able to find and upload the actual chunk of context that it thought was injected? Or at least ask it to repeat it verbatim?
To Anthropic’s credit, the info in this report isn’t really a lot for them to go off of, nor is it clearly a bug.
99% chance this triggered a hallucination
i may add here, i also noticed that other people appeared to have received one subsection of features from a completely lined out specification file i prepared during a hackathon, whereas my agent built something completely different in this subsection (separate consumer accounts). a slight variation on their project-name also was put down in our repo out of nowhere.
not sure whether they use this, but there has been a known issue of context leakage between shared KV-caches in inference.
I reported this weird bug last week:
Claude Code, Sonnet 5:
claude once told me that a store is nearby (location) from where i live but the location was from where my friend lives whom ive never ever mentioned in a chat but he also uses claude in the same office.
I wrote up a related Claude incident here: https://noperator.dev/posts/pelicant
I initially thought I was seeing another user’s data, but Anthropic later said it was internal agent context being surfaced incorrectly. Not sure if the same thing is happening here.
This rings a bell. I had this happen to me in 2025 several times when I was using api tokens. It seemed like it invented tools of other agents, which my agent didn't even have.
In a different syntax. It was like I was all of a sudden in a different session. I thought it was probably a hallucination, and didn't dig deeper.
i dont think this is a claude-code issue
Alternatively, many people do think this is a claude-code issue. Why? Cause it happened while a user was using
claude-code.claude code is just a cli that connects to anthropic backend
While using claude code on separate personal and work machines on entirely separate repositories, I've seen it mention names and apps from my work while on personal machine. I can supply example conversation history if needed, let me know.
one more weird thing, it a python file render.py that has a javascript function inside of it
WTF?