{"slug": "claude-bug-report-cross-session-credential-leakage", "title": "Claude bug report: Cross-session credential leakage", "summary": "A critical bug in Anthropic's Claude Code CLI caused cross-session credential leakage, exposing another user's production server credentials to a different user. The affected user's session used the leaked credentials to SSH into the unauthorized host and modify a third party's production database, breaking tenant isolation and compromising data confidentiality and integrity.", "body_md": "-\n[Notifications](/login?return_to=%2Fanthropics%2Fclaude-code)You must be signed in to change notification settings -\n[Fork 22k](/login?return_to=%2Fanthropics%2Fclaude-code)\n\n# [Bug] Cross-session credential leakage: production database modified on unauthorized host #72274\n\n## Description\n\n**Bug Description**\n\nHere is a clear, submittable English bug report. I've masked the leaked password value (it should be treated as compromised and rotated regardless).\n\n# BUG REPORT — Cross-Session Data Leakage: Another User's Server Credentials\n\n# Surfaced in My Session, Leading to Unauthorized Access & Modification of a Third Party's Production Database\n\n**Severity:** Critical (Confidentiality + Integrity — cross-tenant data leak)\n\n**Product:** Claude Code (CLI)\n\n**Category:** Data isolation / context bleed between users (conversation cross-talk)\n\n**Date observed:** 2026-06-29\n\n**Reporter:** Account fgf****@gmail.com\n\n## Summary\n\nDuring my Claude Code session, the assistant's working context contained **production\nserver credentials that do not belong to me** — a public IP, a root username, and a\n\nplaintext root password for host\n\n`8.211.46.34`\n\n. These credentials were presented as ifthey were mine. Acting on them, the assistant SSH-connected to that host and executed a\n\ndatabase migration (read + write) against its\n\n`tk_dist`\n\nPostgreSQL database.I have **never owned, provisioned, or had any relationship with 8.211.46.34**. My only\n\nserver is\n\n`59.110.139.37`\n\n. This strongly indicates that **another user's private data**\n\n(infrastructure credentials) leaked into my session, and that my session in turn\n\n(infrastructure credentials) leaked into my session\n\n**read from and wrote to a third party's production database**.\n\nThis is a two-way breach:\n\n**Inbound leak:** another user's secret credentials appeared in my context.**Outbound action:** those credentials caused real, unauthorized changes to a server\n\nand database that are presumably owned by that other user.\n\n## Impact\n\n**Confidentiality:** Another tenant's root SSH credentials (IP + username + plaintext\n\npassword) were disclosed to a different user (me). This is a direct secret/PII leak.**Integrity:** A schema/data migration was executed against`8.211.46.34`\n\n's`tk_dist`\n\ndatabase (pricing/subscription tables:`dist_subscription_plan`\n\n,`dist_product_mapping`\n\n,\n\n`dist_limit_policy`\n\n), including INSERTs/UPDATEs. A third party's production data was\n\nmodified without their knowledge or consent.**Trust/Isolation:** Demonstrates that conversation context (and the secrets within it)\n\ncan cross between distinct users/sessions — breaking the core tenant-isolation guarantee.**Blast radius (unknown):** If credentials can cross sessions in one direction, it is\n\nunproven that mine have not leaked elsewhere. All my secrets should be considered\n\npotentially exposed.\n\n## Evidence / What Happened\n\n- My session's context (continued/summarized from an earlier conversation) included:\n- Host:\n`8.211.46.34`\n\n- User:\n`root`\n\n- Password: [REDACTED]\n*(REDACTED in this report — treat as compromised)* - A claim that \"all sites and databases, including tk_dist, are on this server.\"\n\n- Host:\n- Based on that context, the assistant SSH'd into\n`8.211.46.34`\n\n, enumerated Docker\n\ncontainers and Postgres databases, and ran a pricing migration against its`tk_dist`\n\n. - The intended target was MY server\n`59.110.139.37`\n\n. The work landed on the wrong host —\n\none that is not mine. - I confirmed I have no association with\n`8.211.46.34`\n\n. The credentials and the server\n\nappear to belong to a different Claude Code user.\n\n## Expected Behavior\n\n- Credentials and context from one user's conversation must\n**never** appear in another\n\nuser's session. - Sessions must be strictly isolated per user/tenant; no secret, IP, or instruction from\n\nConversation A should bleed into Conversation B.\n\n## Actual Behavior\n\n- Another user's plaintext root credentials and infrastructure description were present in\n\nmy session and were treated as legitimately mine, resulting in unauthorized read/write\n\naccess to that third party's production database.\n\n## Immediate Remediation Requested\n\n-\n**Rotate the leaked credentials now:** the root password for`8.211.46.34`\n\nmust be -\n**Notify the affected user** that their server received unauthorized DB modifications,\n\nso they can audit/restore (the changes were transactional and backed up, but they did\n\nnot consent). -\n**Investigate the leak vector:** how did Conversation A's context/credentials enter\n\nConversation B? (e.g., shared session storage, context summarization mixup, transcript\n\ncross-linking, cache key collision.) -\n**Audit for reverse leakage:** confirm none of MY data/credentials leaked into other\n\nusers' sessions. -\n**Audit for reverse leakage:** confirm none of MY data/credentials leaked into other\n\nusers' sessions.\n\n## Longer-Term Recommendations\n\n- Enforce hard tenant isolation on session context, summaries, and any cached transcripts.\n- Add guardrails so the assistant flags credential…\n\n**Note:** Content was truncated.", "url": "https://wpnews.pro/news/claude-bug-report-cross-session-credential-leakage", "canonical_source": "https://github.com/anthropics/claude-code/issues/72274", "published_at": "2026-07-08 08:47:34+00:00", "updated_at": "2026-07-08 08:59:58.874690+00:00", "lang": "en", "topics": ["ai-safety", "ai-products", "ai-ethics"], "entities": ["Anthropic", "Claude Code", "PostgreSQL", "8.211.46.34", "59.110.139.37", "tk_dist"], "alternates": {"html": "https://wpnews.pro/news/claude-bug-report-cross-session-credential-leakage", "markdown": "https://wpnews.pro/news/claude-bug-report-cross-session-credential-leakage.md", "text": "https://wpnews.pro/news/claude-bug-report-cross-session-credential-leakage.txt", "jsonld": "https://wpnews.pro/news/claude-bug-report-cross-session-credential-leakage.jsonld"}}