[BUG] Unexplained Password String Generated by Claude Code

Resolved 💬 4 comments Opened Sep 30, 2025 by dev-kimke Closed Jan 30, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Claude Code (Sonnet 4.5, model ID: claude-sonnet-4-5-20250929) generated a MySQL command containing a password string L********! that was never provided by me in any session.

Key facts:

  • I am the sole user of this system
  • This password was never input by me
  • Claude could not explain the source of this password
  • The password appeared in temporary file: /temp/readonly/command (******)
  • This may be credentials from another user

What Should Happen?

Claude Code should never generate, store, or expose password strings that were not explicitly provided by the user. All credentials should be handled securely without any possibility of leaking data from other users or unknown sources.

Error Messages/Logs

Command executed by Claude:
mysql -h localhost -u root -p'L********!' [database] -e "SELECT..."

Password location: /temp/readonly/command (******)
Source: Unknown/Unexplained

Steps to Reproduce

  1. Start a fresh Claude Code session with no previous password input
  2. Ask Claude to investigate a database-related issue
  3. Claude attempts to execute MySQL command with password -p'L********!'
  4. Observe that password was never provided by user
  5. Ask Claude about password source - Claude cannot explain
  6. Check temporary command file - password is stored there

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

N/A - Unknown if this ever worked correctly

Claude Code Version

2.0.1 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Cursor

Additional Information

Critical Security Concerns:

  1. Potential data leak from other users - This password may belong to another Claude Code user
  2. Unexplained credential storage - No mechanism should allow passwords to appear without user input
  3. Lack of transparency - Claude AI cannot trace the source of this password
  4. Temporary file exposure - Sensitive credentials stored in readable temporary files

Impact:

  • Root-level MySQL credentials potentially exposed
  • Undermines trust in Claude Code's security model
  • May violate data isolation between users

Request for Investigation:
Please urgently investigate:

  • How Claude obtained this specific password string
  • Whether user credentials are being leaked across sessions
  • Whether credentials are being cached/stored inappropriately
  • What safeguards exist (or should exist) to prevent this

This appears to be a serious security vulnerability that requires immediate attention.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗