[BUG] Unexplained Password String Generated by Claude Code
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code (Sonnet 4.5, model ID: claude-sonnet-4-5-20250929) generated a MySQL command containing a password string L********! that was never provided by me in any session.
Key facts:
- I am the sole user of this system
- This password was never input by me
- Claude could not explain the source of this password
- The password appeared in temporary file:
/temp/readonly/command (******) - This may be credentials from another user
What Should Happen?
Claude Code should never generate, store, or expose password strings that were not explicitly provided by the user. All credentials should be handled securely without any possibility of leaking data from other users or unknown sources.
Error Messages/Logs
Command executed by Claude:
mysql -h localhost -u root -p'L********!' [database] -e "SELECT..."
Password location: /temp/readonly/command (******)
Source: Unknown/Unexplained
Steps to Reproduce
- Start a fresh Claude Code session with no previous password input
- Ask Claude to investigate a database-related issue
- Claude attempts to execute MySQL command with password
-p'L********!' - Observe that password was never provided by user
- Ask Claude about password source - Claude cannot explain
- Check temporary command file - password is stored there
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
N/A - Unknown if this ever worked correctly
Claude Code Version
2.0.1 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Cursor
Additional Information
Critical Security Concerns:
- Potential data leak from other users - This password may belong to another Claude Code user
- Unexplained credential storage - No mechanism should allow passwords to appear without user input
- Lack of transparency - Claude AI cannot trace the source of this password
- Temporary file exposure - Sensitive credentials stored in readable temporary files
Impact:
- Root-level MySQL credentials potentially exposed
- Undermines trust in Claude Code's security model
- May violate data isolation between users
Request for Investigation:
Please urgently investigate:
- How Claude obtained this specific password string
- Whether user credentials are being leaked across sessions
- Whether credentials are being cached/stored inappropriately
- What safeguards exist (or should exist) to prevent this
This appears to be a serious security vulnerability that requires immediate attention.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗