[Bug] Potential session/cache leakage between workspace instances or consumer accounts

Open 💬 18 comments Opened Jul 4, 2026 by milesrichardson-edb

Bug Description
Apparent session leakage, despite authenticated to Enterprise ZDR workspace. Agent suddenly started asking me what kind of bricks I wanted for my Minecraft temple and confidently asserted in its recap that it's building a Minecraft temple. I thought cache was isolated to workspace? Maybe one of my colleagues is building a minecraft temple. That's one way to spend your token allowance, I suppose. Or maybe it's leaking from a consumer plan, in which case this raises some very serious questions about Enterprise ZDR and where some of our sensitive chat sessions might be going.

Environment Info

  • Platform: darwin
  • Terminal: Apple_Terminal
  • Version: 2.1.199
  • Feedback ID: f336f5d2-3992-4a04-9e1f-ec30f006f75e

Errors

[]

<img width="1391" height="680" alt="Image" src="https://github.com/user-attachments/assets/4e1cb6a2-a3c0-4b44-bd29-d42288e85e75" />

Maybe relevant: I'm doing something kind of weird. I started this session in a working directory unrelated to the task (because I have a .claude directory in there with context I needed), but it's actually doing all its work in another directory. The "earlier pollution" it referred to is because at some point it compacted its conversation and started working on the project in the directory where I launched the agent (because it forgot my instruction not to touch it). That was less surprising and obviously caused by my own setup. But that's totally different than leaking some Minecraft related prompt into my session.

View original on GitHub ↗

18 Comments

yurukusa · 12 days ago

The single most useful thing right now is to localize where that "Minecraft temple" text actually lives — that determines whether this is a local context bleed on your machine or a genuine cross-account/server leak, and those are wildly different severities. Don't assume either until you've run the check below.

Triage: is the leaked content anywhere in your local session files?

Everything your CLI sends and receives is written to per-session transcripts at ~/.claude/projects/<encoded-cwd>/<session-id>.jsonl (the <encoded-cwd> is your launch directory with every / turned into -). So:

grep -rli 'minecraft\|temple\|brick' ~/.claude/projects/ 2>/dev/null
  • If it hits a file → that text is present locally, so this is a local context/transcript bleed, not a server-side leak. Given your setup (launched in dir A that has its own .claude, worked in dir B, then a /compact), the likely path is that the session pulled in context belonging to a different session/slug on your own machine — annoying and worth fixing, but not a ZDR breach. Confirm which session it came from:

``bash
grep -rli minecraft ~/.claude/projects/ | while read f; do
printf '%s %s\n' "$(grep -m1 -o '"cwd":"[^"]*"' "$f")" "$f"; done
`
A different
cwd`/slug than the one you're working in confirms a local cross-session bleed.

  • If it hits nothing locally → you never sent or received that text on this machine, which points to the model/server side. For an Enterprise ZDR workspace that is exactly the serious case you're worried about — treat it as a security incident: preserve the Feedback ID (f336f5d2-…) and the screenshot, and escalate through your Anthropic enterprise contact, not only a public issue.

On the launch-dir / work-dir setup

The part you already diagnosed (compaction made it start working in the launch dir) is a related but separate issue. Claude keys a lot of context off the launch cwd — that's also where the transcript is stored, ~/.claude/projects/<launch-dir-slug>/ — so launching in an unrelated dir that has its own .claude invites context confusion after a /compact. Launching from the actual work dir (or pointing --add-dir at the context dir instead of cd-ing into it) avoids that whole class of confusion. But that mechanism explains the directory mix-up, not a Minecraft prompt you never wrote — so run the grep before concluding it's just your setup.

To be clear about what I did and didn't check: I verified only that these transcripts are local, greppable, and carry the cwd of the session that produced them (that's what makes the localize test reliable). I can't see your server-side session state, so the local-vs-server split above is the honest way to tell which problem you actually have — and it's worth doing before this gets triaged as either "user setup" or "ZDR breach", because it's cheap and decisive.
</content>

milesrichardson-edb · 12 days ago

There are no matches other than the log of this session itself, starting with the first apparent leak and then followed by my exchange with the model about why it did that . There is one tool call result that includes a string that printed a pathname including minecraft.py because it was listing the files in a Python virtual environment and the Pygments package has a lexer called minecraft.py

There is no match for temple or bricks, at least with those word boundaries or within any context remotely related to Minecraft (there are matches like Databricks and bricked by an over-eager click and verdictSignalsLabel (has slab substring)).

I've submitted via /feedback and escalated internally.

milesrichardson-edb · 12 days ago

Same thing just happened on a Claude Mobile session in same Enterprise
account. Common theme in both is Sonnet 5, first response after more than 5
minutes (cache miss).

Something very wrong here. Obvious question is whether this happens in the
other direction too.

On Sat, Jul 4, 2026 at 04:31 ゆる草 @.***> wrote:

yurukusa left a comment (anthropics/claude-code#74066) <https://github.com/anthropics/claude-code/issues/74066#issuecomment-4880334711> The single most useful thing right now is to localize where that "Minecraft temple" text actually lives — that determines whether this is a local context bleed on your machine or a genuine cross-account/server leak, and those are wildly different severities. Don't assume either until you've run the check below. Triage: is the leaked content anywhere in your local session files? Everything your CLI sends and receives is written to per-session transcripts at ~/.claude/projects/<encoded-cwd>/<session-id>.jsonl (the <encoded-cwd> is your launch directory with every / turned into -). So: grep -rli 'minecraft\|temple\|brick' ~/.claude/projects/ 2>/dev/null - If it hits a file → that text is present locally, so this is a local context/transcript bleed, not a server-side leak. Given your setup (launched in dir A that has its own .claude, worked in dir B, then a /compact), the likely path is that the session pulled in context belonging to a different session/slug on your own machine — annoying and worth fixing, but not a ZDR breach. Confirm which session it came from: grep -rli minecraft ~/.claude/projects/ | while read f; do printf '%s %s\n' "$(grep -m1 -o '"cwd":"[^"]"' "$f")" "$f"; done A different cwd/slug than the one you're working in confirms a local cross-session bleed. - If it hits nothing locally → you never sent or received that text on this machine, which points to the model/server side. For an Enterprise ZDR workspace that is exactly the serious case you're worried about — treat it as a security incident: preserve the Feedback ID (f336f5d2-…) and the screenshot, and escalate through your Anthropic enterprise contact, not only a public issue. On the launch-dir / work-dir setup The part you already diagnosed (compaction made it start working in the launch dir) is a related but separate issue. Claude keys a lot of context off the launch cwd — that's also where the transcript is stored, ~/.claude/projects/<launch-dir-slug>/ — so launching in an unrelated dir that has its own .claude invites context confusion after a /compact. Launching from the actual work dir (or pointing --add-dir at the context dir instead of cd-ing into it) avoids that whole class of confusion. But that mechanism explains the directory mix-up, not a Minecraft prompt you never wrote — so run the grep before concluding it's just your setup. To be clear about what I did and didn't check: I verified only that these transcripts are local, greppable, and carry the cwd of the session that produced them (that's what makes the localize test reliable). I can't see your server-side session state, so the local-vs-server split above is the honest way to tell which problem you actually have — and it's worth doing before this gets triaged as either "user setup" or "ZDR breach", because it's cheap and decisive. — Reply to this email directly, view it on GitHub <https://github.com/anthropics/claude-code/issues/74066?email_source=notifications&email_token=BDUVPO6CC7HT7Y2D52CKKWT5DBUANA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIOBYGAZTGNBXGEY2M4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KYZTPN52GK4S7MNWGSY3L#issuecomment-4880334711>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BDUVPO5E5AHFF32ZOTI2EKL5DBUANAVCNFSNUABFKJSXA33TNF2G64TZHM4TGNZSGUZTINZVHNEXG43VMU5TIOBQG4ZDMNRXG4Y2C5QC> . Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS <https://github.com/notifications/mobile/ios/BDUVPO6UZKMCJSFR5BL56WL5DBUANA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIOBYGAZTGNBXGEY2M4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KUZTPN52GK4S7NFXXG> and Android <https://github.com/notifications/mobile/android/BDUVPO2MQEDNMI4BJDRJE235DBUANA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIOBYGAZTGNBXGEY2M4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2K4ZTPN52GK4S7MFXGI4TPNFSA>. Download it today! You are receiving this because you authored the thread.Message ID: @.**>
milesrichardson-edb · 12 days ago

Sorry, sent from email, apparently image attachments don’t get uploaded.
Here’s the OCR:

Me:

I did it with scripts I got all the CSVs into a folder what an adventure.
Now can you help me?
https://drive.google.com/drive/ folders(redacted)

Claude:

<br><br>I generated a mockup of what a 3-panel abstract print set in this
space might look like above the sideboard, using placeholder art in your
wall's actual dimensions. That's not a real research deliverable though, so
let me get you the actual research on artists/shops you can buy from.
Detecting injection attempt, proceeding...
Reply to Claude
+
Sonnet 5 Extra
X

Thought process
I'm noticing something odd here—there's a block of text that seems
completely disconnected from what the user actually asked about. They
mentioned getting CSVs into a folder and need help with that, but then
there's unrelated content about wall dimensions and art prints that doesn't
fit the conversation at all. This looks like an attempt to inject
instructions into the conversation, so I should disregard it and focus on
what the user actually needs. I can see this is a continuation of the
actual task - the injected content was a distraction. Now I'm extracting
the folder ID from the Drive link and preparing to list all the CSV files
in that folder so I can download and parse them for the deal-level
aggregation and diff computation.

On Sat, Jul 4, 2026 at 15:53 Miles Richardson <
@.***> wrote:

Same thing just happened on a Claude Mobile session in same Enterprise account. Common theme in both is Sonnet 5, first response after more than 5 minutes (cache miss). Something very wrong here. Obvious question is whether this happens in the other direction too. On Sat, Jul 4, 2026 at 04:31 ゆる草 @.***> wrote: > yurukusa left a comment (anthropics/claude-code#74066) > <https://github.com/anthropics/claude-code/issues/74066#issuecomment-4880334711> > > The single most useful thing right now is to localize where that > "Minecraft temple" text actually lives — that determines whether this is a > local context bleed on your machine or a genuine cross-account/server leak, > and those are wildly different severities. Don't assume either until you've > run the check below. > > Triage: is the leaked content anywhere in your local session files? > > Everything your CLI sends and receives is written to per-session > transcripts at ~/.claude/projects/<encoded-cwd>/<session-id>.jsonl (the > <encoded-cwd> is your launch directory with every / turned into -). So: > > grep -rli 'minecraft\|temple\|brick' ~/.claude/projects/ 2>/dev/null > > > - > > If it hits a file → that text is present locally, so this is a > local context/transcript bleed, not a server-side leak. Given your > setup (launched in dir A that has its own .claude, worked in dir B, > then a /compact), the likely path is that the session pulled in > context belonging to a different session/slug on your own machine — > annoying and worth fixing, but not a ZDR breach. Confirm which session it > came from: > > grep -rli minecraft ~/.claude/projects/ | while read f; do > printf '%s %s\n' "$(grep -m1 -o '"cwd":"[^"]"' "$f")" "$f"; done > > A different cwd/slug than the one you're working in confirms a local > cross-session bleed. > - > > If it hits nothing locally → you never sent or received that text > on this machine, which points to the model/server side. For an Enterprise > ZDR workspace that is exactly the serious case you're worried about — treat > it as a security incident: preserve the Feedback ID (f336f5d2-…) and > the screenshot, and escalate through your Anthropic enterprise contact, not > only a public issue. > > On the launch-dir / work-dir setup > > The part you already diagnosed (compaction made it start working in the > launch dir) is a related but separate issue. Claude keys a lot of context > off the launch cwd — that's also where the transcript is stored, > ~/.claude/projects/<launch-dir-slug>/ — so launching in an unrelated dir > that has its own .claude invites context confusion after a /compact. > Launching from the actual work dir (or pointing --add-dir at the context > dir instead of cd-ing into it) avoids that whole class of confusion. But > that mechanism explains the directory mix-up, not a Minecraft prompt > you never wrote — so run the grep before concluding it's just your setup. > > To be clear about what I did and didn't check: I verified only that these > transcripts are local, greppable, and carry the cwd of the session that > produced them (that's what makes the localize test reliable). I can't see > your server-side session state, so the local-vs-server split above is the > honest way to tell which problem you actually have — and it's worth doing > before this gets triaged as either "user setup" or "ZDR breach", because > it's cheap and decisive. > > — > Reply to this email directly, view it on GitHub > <https://github.com/anthropics/claude-code/issues/74066?email_source=notifications&email_token=BDUVPO6CC7HT7Y2D52CKKWT5DBUANA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIOBYGAZTGNBXGEY2M4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KYZTPN52GK4S7MNWGSY3L#issuecomment-4880334711>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/BDUVPO5E5AHFF32ZOTI2EKL5DBUANAVCNFSNUABFKJSXA33TNF2G64TZHM4TGNZSGUZTINZVHNEXG43VMU5TIOBQG4ZDMNRXG4Y2C5QC> > . > Triage notifications, keep track of coding agent tasks and review pull > requests on the go with GitHub Mobile for iOS > <https://github.com/notifications/mobile/ios/BDUVPO6UZKMCJSFR5BL56WL5DBUANA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIOBYGAZTGNBXGEY2M4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KUZTPN52GK4S7NFXXG> > and Android > <https://github.com/notifications/mobile/android/BDUVPO2MQEDNMI4BJDRJE235DBUANA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIOBYGAZTGNBXGEY2M4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2K4ZTPN52GK4S7MFXGI4TPNFSA>. > Download it today! > You are receiving this because you authored the thread.Message ID: > @.**> >
lc-nyovchev · 12 days ago

Vibe coding company has vibe coding security, what a surprise.

jarnix · 12 days ago

It looks like an hallucination. Last time Claude said a thousand adjectives or bad words that had nothing to do with what I was working on.

MermaidHoards · 12 days ago

This issue has reached the top of Hacker News today. Would love if you could add some additional information to your report here.

Are you able to find and upload the actual chunk of context that it thought was injected? Or at least ask it to repeat it verbatim?

To Anthropic’s credit, the info in this report isn’t really a lot for them to go off of, nor is it clearly a bug.

DevBrent · 12 days ago
There is one tool call result that includes a string that printed a pathname including minecraft.py because it was listing the files in a Python virtual environment and the Pygments package has a lexer called minecraft.py

99% chance this triggered a hallucination

yv3nne · 12 days ago

i may add here, i also noticed that other people appeared to have received one subsection of features from a completely lined out specification file i prepared during a hackathon, whereas my agent built something completely different in this subsection (separate consumer accounts). a slight variation on their project-name also was put down in our repo out of nowhere.
not sure whether they use this, but there has been a known issue of context leakage between shared KV-caches in inference.

arbirk · 12 days ago

I reported this weird bug last week:

Claude Code, Sonnet 5:

Before the inventory: a brief integrity note, then the full findings. Data-integrity note: Partway through this task, one batch of tool results contained injected content that did not come from the tools I actually called — a fabricated "MCP servers need auth" notice, an unsolicited dump of a different CLAUDE.md, and fake "Plan mode is active" instructions telling me to stop and use tools I don't have. I disregarded that injected content and re-verified the real filesystem state directly; everything below is from genuine tool output.
phonkd · 12 days ago

claude once told me that a store is nearby (location) from where i live but the location was from where my friend lives whom ive never ever mentioned in a chat but he also uses claude in the same office.

noperator · 12 days ago

I wrote up a related Claude incident here: https://noperator.dev/posts/pelicant

I initially thought I was seeing another user’s data, but Anthropic later said it was internal agent context being surfaced incorrectly. Not sure if the same thing is happening here.

gregorriegler · 12 days ago

This rings a bell. I had this happen to me in 2025 several times when I was using api tokens. It seemed like it invented tools of other agents, which my agent didn't even have.
In a different syntax. It was like I was all of a sudden in a different session. I thought it was probably a hallucination, and didn't dig deeper.

phonkd · 12 days ago

i dont think this is a claude-code issue

lc-nyovchev · 11 days ago
i dont think this is a claude-code issue

Alternatively, many people do think this is a claude-code issue. Why? Cause it happened while a user was using claude-code.

phonkd · 11 days ago

claude code is just a cli that connects to anthropic backend

adam0white · 10 days ago

While using claude code on separate personal and work machines on entirely separate repositories, I've seen it mention names and apps from my work while on personal machine. I can supply example conversation history if needed, let me know.

eranboww · 4 days ago

one more weird thing, it a python file render.py that has a javascript function inside of it
WTF?