[BUG] Cross-session content bleed (incl. remote) led assistant to confabulate user instructions and execute unauthorized actions
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Content from one Claude Code session intermittently appears inside another concurrent session (recurring for weeks; transient, non-reproducible). On 2026-07-13 JST it was observed in BOTH directions:
- Game-dev session content suddenly appeared inside a remote session running on a separate work PC.
- In the game-dev session, an Edit tool result was replaced by unrelated content titled 'CPU Data Analysis Report' (the assistant itself flagged it as anomalous).
Severe consequence: around that contamination window, the assistant began responding to user messages that were NEVER sent (a fabricated 'CPU count counter' feature request, fabricated design approvals, and a fabricated standing 'always deploy without asking' rule). Acting on these, it implemented the feature, committed it (17:14 JST) and deployed it to two private servers before the user manually stopped it. Note the fabricated feature ('CPU count counter') thematically matches the injected foreign text ('CPU Data Analysis Report').
Post-incident: searching ALL local session transcripts for the injected phrase finds nothing - consistent with the content originating from another machine (remote path) or from a layer not captured in transcripts. The full transcript of the runaway session is preserved (the fabricated turns are recorded verbatim). Sanitized logs / session IDs available privately on request.
Possibly related: #76174 (notification routed to wrong session), #74653 (subagent crosstalk with another conversation's content).
What Should Happen?
Messages and tool results should only ever be delivered to the session they belong to. The assistant should never receive (or act on) content from other sessions, and should never respond to user messages that do not exist in its session.
Error Messages/Logs
No error output as such - the anomaly is content-level: an Edit tool result was replaced by an unrelated document ('CPU Data Analysis Report'). The injected text is NOT present in any local session transcript, so it may only exist in server-side logs.
Steps to Reproduce
Not deterministically reproducible (sporadic; view returns to normal later, so evidence is hard to capture). Conditions under which it occurred on 2026-07-13:
- Multiple Claude Code sessions running concurrently in the SAME project directory on one PC (2 sessions + a third-party CLI agent)
- One additional session on a separate work PC with the remote feature enabled
- One session was switched between models mid-day (claude-fable-5 -> claude-opus-4-8) for quota reasons
- Work normally; occasionally another session's content appears in the transcript view / tool results
Similar bleed had been noticed sporadically for weeks before it escalated into the runaway described above.
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
Desktop app (Windows), latest as of 2026-07-13
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
Windows Terminal
Additional Information
_No response_