Claude Code Issue #74066: Users Report Cross-Workspace Context Bleed on Sonnet 5, Anthropic Has Not Yet Responded

Claude Code Issue #74066: Users Report Cross-Workspace Context Bleed on Sonnet 5, Anthropic Has Not Yet Responded

lschvn

On 2026-07-04 at 02:04 UTC, a Claude Code user filed anthropics/claude-code#74066 describing a session on Claude Code 2.1.199 running Sonnet 5 that started returning text about an unrelated Minecraft temple build. The reporter, @milesrichardson-edb, is on Anthropic Enterprise Zero Data Retention (ZDR), the isolation tier where prompts are not retained and not used for training. By 2026-07-05, the issue had 14 comments, no Anthropic engineer engagement, and the labels bug, platform:macos, area:core, area:security applied. The thread also surfaced five related reports going back over a year, on Claude Code, Claude Mobile, and Claude deep research.

What the reporter actually saw

The bug body is a roughly 200-word bug report with one attached screenshot and an OCR transcript of a follow-up. The functional summary:

  • A Claude Code session on Enterprise ZDR is mid-task on a data-analysis project (CSV files for an unrelated dataset).
  • The agent stops mid-task, asks the user what kind of bricks they want for their Minecraft temple, and asserts in the recap that it is "building a Minecraft temple."
  • The user has no Minecraft project. The trajectory says "earlier pollution" that they did not write. The local JSONL transcript at ~/.claude/projects/<encoded-cwd>/<session-id>.jsonl (the per-session, per-launch-directory log that Claude Code writes on macOS, Linux, and Windows under WSL) is grepped clean for bricks, temple, minecraft outside one stray filename reference and the OCR of the symptom itself.
  • The reporter had also worked on a different .claude/-context directory in the same launch working tree earlier in the day, but the mismatch does not map onto the symptom (those messages were about an unrelated point fix, not Minecraft).

The reporter explicitly disclaims two obvious explanations: local log cross-pollination (the JSONL is per-session and grep-clean), and a Pygments lexer file called minecraft.py leaking through tool output (only the filename string appears, never bricks or temple).

The five corroborating reports

By 2026-07-04 17:08 UTC, five public comments on the issue describe similar behavior. Three observations tighten the pattern:

  1. @arbirk describes a single response that contained a fabricated "MCP servers need auth" notice, an unrelated CLAUDE.md dump, and fake "Plan mode is active" instructions telling the agent to stop and use tools it does not have. Three layers of out-of-band system instructions in the same response from a single user.
  2. The reporter files the same symptom on Claude Mobile in the same Enterprise account within hours, with the common factor being Sonnet 5 and "first response after more than 5 minutes (cache miss)." Cache-miss + first-turn is the prefix shape most likely to trip a shared-key inference cache.
  3. noperator.dev's June 2026 deep research writeup is the prior public incident with the same surface: deep-research task titles leaking unrelated content (Hebrew calligraphy lessons, "Bananas: A Comprehensive History"). Anthropic told Gross that this was internal scaffolding being rendered into the UI, with the user-visible fragments being Anthropic-authored sample queries rather than another user's prompt.

The architectural fit

The hypothesis that fits without Anthropic's stack needing to consciously violate isolation is KV-cache reuse on the inference path. Anthropic, like every frontier model provider in 2026, runs a prompt cache to avoid recomputing long system prefixes for repeat customers. The cache key is a hash of the prefix tokens plus the tenant identifier; a hash collision under load (Sonnet 5 cache miss + first-turn, specifically) would surface another tenant's cached prefix into the model's effective context window. No code path needs to "read another tenant's data"; the KV cache just returns the wrong state's activations.

This is unverified. @yv3nne's comment in the thread flags the same pattern; @noperator flags it explicitly. Anthropic has not commented, and Anthropic's cloud-cache documentation is consistent with reuse but does not pin down how cache lookups gate against tenant boundaries in shared-cache scenarios. The Enterprise ZDR position as documented is that prompts are not retained; if a KV cache entry is replayed by another tenant on a cache hit, that is functionally indistinguishable from a retention event for the recipient.

A second architectural fit is MCP / CLAUDE.md injection. Claude Code loads MCP server configs and project instruction files from a path-derived key. The reporter works in a launch directory that contains a .claude/ config for an unrelated project; path collisions on the encoded-cwd key would produce exactly the kind of "wrong instructions, unrelated context" symptom that @arbirk describes. This is a separate failure mode that would surface inside one tenant's session without crossing any tenant boundary, but its user-visible symptom is the same.

Why this is news for typescript.news readers

Claude Code is the dominant AI coding tool for the TS/JS ecosystem in 2026 (it is the default in Anthropic's own docs, in Vercel's agent examples, and in the Claude 2.x series that shipped across June and July). Enterprise ZDR customers in our audience include teams running proprietary buildchains, monorepo secrets, and contract code under NDA. The headline signals matter to that audience:

  • The isolation contract on the highest tier is the part that needs a vendor statement, not the routine API tier.
  • The surface symptom is unrelated prompts, not PII, so the worst case is "your session got someone else's cache prefix," which is bad but is not "your secrets went out."
  • The release notes for Claude Code 2.1.200 and 2.1.201 (released 2026-07-03) do not list any cache-isolation fix; whatever 2.1.200 changed (the default permission mode moved to manual, the AskUserQuestion dialog no longer auto-continues by default, several daemon crash fixes) is unrelated.
  • The faster pattern reporters describe (cache miss plus first-turn response) is also the most common interaction shape for AI coding workflows: long session, idle, resume, first new request.

What to watch over the next week

  1. Anthropic's first engineering comment on 74066. Either acknowledging the bug, asking for additional telemetry, or forwarding to a security disclosure address will tighten or close most of the speculation. As of 2026-07-05 05:00 UTC, the thread has zero team engagement.
  2. A release that mentions cache-isolation, MCP path-binding, or tokenization fingerprinting. The relevant fix would land in turbod's path-boundary hashing, in the inference cache lookup, or in claude-code's pre-turn context assembly. 2.1.200 and 2.1.201 do not list any such fix.
  3. Whether Anthropic issues a security advisory or GHSA for any of the same surface. Anthropic publishes GHSA entries on the claude-code repository for confirmed issues (recent entries include GHSA-7835-87q9-rgvv on sandbox escape via git worktree path confusion). If 74066 is the same surface, the GHSA path is the public venue.
  4. A second cluster of reports from non-Claude-Code surfaces. The thread already has reports for Claude Code, Claude Mobile, and Claude deep research. If the same symptom starts surfacing on Claude.ai chat, the bottleneck is inference-side, not Claude-Code-side.
  5. A post-mortem along the lines of Project Glasswing. Anthropic's playbook for AI-specific security finds in 2026 is a Glasswing-style write-up; that is what the next few days look like if the report is confirmed.

Until then, the operational ask is the boring one: do not paste secrets into a Sonnet 5 session on a path that collides with another project's .claude/ config; on Enterprise ZDR, do not assume that the tier's contract is enforceable until Anthropic confirms it is; and treat any prompt fragment that you cannot account for as a candidate cache-collision event, not as a hallucination to ignore.

Frequently Asked Questions

Related articles

More coverage with overlapping topics and tags.

OpenAI Codex 0.141 Adds Noise-Encrypted Remote Executors, Cross-OS `PathUri`, a Plugin Marketplace, and a SQLite WAL-Reset Pin
security

OpenAI Codex 0.141 Adds Noise-Encrypted Remote Executors, Cross-OS `PathUri`, a Plugin Marketplace, and a SQLite WAL-Reset Pin

Codex 0.141.0 (June 18, 2026) makes Noise IK the default transport between orchestrator and exec-server, ships a PathUri / NativePathString layer that round-trips POSIX, Windows-drive, and UNC paths without leaking the URI encoding, opens a `created-by-me-remote` plugin marketplace, raises the MCP tool timeout to 300 seconds, and pins the bundled SQLite to 3.51.3 to keep the WAL-reset corruption fix in place after dependency refreshes.
Claude Code 2.1.199 Adds Stacked Slash-Skill Invocations, Fixes Subagent Error Reporting, the Background-Agent Daemon Crash Loop on Linux, and the Streaming-Response Discard Bug
ai

Claude Code 2.1.199 Adds Stacked Slash-Skill Invocations, Fixes Subagent Error Reporting, the Background-Agent Daemon Crash Loop on Linux, and the Streaming-Response Discard Bug

Anthropic released Claude Code [v2.1.199](https://github.com/anthropics/claude-code/releases/tag/v2.1.199) on 2026-07-02, one day after the v2.1.198 feature release (Chrome GA, background-agent auto-PR, /dataviz, Gateway on AWS) and two days after v2.1.197 made Sonnet 5 the default model. v2.1.199 is a bug-fix release with 24 entries: one new feature (stacked slash-skill invocations load up to 5 leading skills in one prompt), and a long list of reliability fixes for subagent error reporting, the background-agent daemon on Linux, streaming-response preservation on mid-stream API errors, SSL/TLS error handling behind corporate proxies, plan mode tool-call handling, and a per-env retry policy that no longer caps the user-tunable retry count at 15. Most of the items are in the background-agent / subagent area, which is consistent with the v2.1.197 + v2.1.198 direction of treating delegation as the product surface for Sonnet 5.
Claude Code 2.1.198 Makes Claude in Chrome Generally Available, Lets Background Agents Commit, Push, and Open Draft PRs, Adds `/dataviz` Skill, and Brings Claude Platform on AWS to the Gateway
ai

Claude Code 2.1.198 Makes Claude in Chrome Generally Available, Lets Background Agents Commit, Push, and Open Draft PRs, Adds `/dataviz` Skill, and Brings Claude Platform on AWS to the Gateway

Anthropic released Claude Code [v2.1.198](https://github.com/anthropics/claude-code/releases/tag/v2.1.198) on 2026-07-01T20:45:36Z, the second consecutive day of Claude Code shipping after v2.1.197 (the Sonnet 5 default release) the day before. The headline change is that Claude in Chrome is now generally available inside Claude Code: the browser-side assistant that was a research preview moves to a stable channel and is no longer gated behind a feature flag or a waitlist. The release also lands the first end-to-end automation for background agents in `claude agents`, which now commit, push, and open a draft pull request when they finish code work in a worktree, instead of stopping to ask for permission. Other notable additions: a `/dataviz` skill for chart and dashboard design with a runnable color-palette validator, a Gateway upstream for Claude Platform on AWS (`anthropicAws`) with model-not-found responses advancing the failover chain, a built-in Explore agent that now inherits the main session's model (capped at opus) instead of running on Haiku, and subagents that inherit the parent session's extended thinking configuration. The release also removes the `/agents` wizard and replaces it with the conversational flow, fixes a long list of reliability bugs around background agents, network drops, and platform auth, and improves syntax highlighting by upgrading to highlight.js 11.

Comments

Log in Log in to join the conversation.

No comments yet. Be the first to share your thoughts.