---
title: "Claude Code Issue #74066: Users Report Cross-Workspace Context Bleed on Sonnet 5, Anthropic Has Not Yet Responded"
description: "An open bug filed against Claude Code on 2026-07-04 by an [Enterprise ZDR](https://docs.anthropic.com/en/docs/build-with-claude/zero-data-retention) user describes a working session on Sonnet 5 that suddenly starts referencing an unrelated Minecraft temple build, then doubles down on the wrong task in its recap. The reporter (GitHub: [@milesrichardson-edb](https://github.com/milesrichardson-edb), issue [anthropics/claude-code#74066](https://github.com/anthropics/claude-code/issues/74066)) is on Enterprise Zero Data Retention, the tier Anthropic specifically advertises as session-isolated. Triage on the reporter's local session JSONL at `~/.claude/projects/<encoded-cwd>/<session-id>.jsonl` finds the leaked text is not in the transcript, ruling out a local context bleed by file overlap. Four other users in the comments (with work histories going back to last year) describe near-identical behavior across Claude Code, Claude Mobile, and Claude deep research. The most plausible architectural fit is shared KV-cache state in inference ([per @yv3nne in the comments](https://github.com/anthropics/claude-code/issues/74066#issuecomment-4880448776)), but no Anthropic engineer has commented on the issue in the 22 hours since it was filed, and the issue reached the top of [Hacker News](https://news.ycombinator.com/item?id=42481789) on 2026-07-04. The tone in the thread is split: half suspecting a real platform cache reuse, half suspecting a [sonnet-5-specific hallucination triggered by a Pygments lexer](https://github.com/anthropics/claude-code/issues/74066#issuecomment-4880334711). Both readings are credible."
date: 2026-07-05
image: "/images/heroes/2026-07-05--claude-code-74066-cross-workspace-context-leak.png"
author: lschvn
tags: ["security", "ai", "tooling"]
tldr:
  - "[anthropics/claude-code#74066](https://github.com/anthropics/claude-code/issues/74066), filed 2026-07-04 at 02:04 UTC by an Anthropic Enterprise [ZDR](https://docs.anthropic.com/en/docs/build-with-claude/zero-data-retention) user on Claude Code 2.1.199, describes a Sonnet 5 session that starts returning content about an unrelated user's Minecraft temple build, references 'earlier pollution' that isn't in the local session, and then carries the wrong task into its recap. The reporter, [@milesrichardson-edb](https://github.com/milesrichardson-edb), rules out local context bleed (the leaked words are nowhere in `~/.claude/projects/<encoded-cwd>/<session-id>.jsonl`) and a Pygments [lexer file called `minecraft.py`](https://github.com/pygments/pygments/blob/master/pygments/lexers/minecraft.py) being accidentally surfaced, since only the string `minecraft.py` appears in their transcripts, not `bricks` or `temple`."
  - "[Four other commenters](https://github.com/anthropics/claude-code/issues/74066#issuecomment-4880334711) describe the same broad pattern across Claude Code, Claude Mobile, and Claude deep research on Sonnet 5: prompt fragments from clearly unrelated sessions surface in turn responses and survive across compaction. [@arbirk](https://github.com/anthropics/claude-code/issues/74066#issuecomment-4880448938) reports a fabricated 'MCP servers need auth' notice, an unrelated `CLAUDE.md` dump, and fake 'Plan mode is active' instructions within a single response. [@phonkd](https://github.com/anthropics/claude-code/issues/74066#issuecomment-4880453726) reports Claude citing a store location for a friend who has never been mentioned in any chat. [@noperator](https://noperator.dev/posts/pelicant) links a prior [June 2026 deep-research incident](https://noperator.dev/posts/pelicant) where Anthropic attributed the same surface to internal scaffolding rendering, not a privacy leak."
  - "The architectural fit that multiple commenters point to is shared KV cache state on the inference path. Anthropic's inference cluster reuses prompt caches for cost and latency; a Sonnet 5 cache hit on a different user's prefix that is the same tokenizer shape as the reporter's prompt would explain cross-tenant fragment surfacing without any code path needing to read another tenant's data on purpose. No Anthropic engineer has commented on the issue since filing, and [Claude Code 2.1.200](https://github.com/anthropics/claude-code/releases/tag/v2.1.200) and [2.1.201](https://github.com/anthropics/claude-code/releases/tag/v2.1.201), released 2026-07-03 after the original 74066 report window opened, do not list any cache-isolation fix in their release notes. The thread's strongest operational signal: at least two of the five reports happened after a cache miss followed by the first response in the new session."
faq:
  - question: "What is Claude Code bug 74066?"
    answer: "[anthropics/claude-code#74066](https://github.com/anthropics/claude-code/issues/74066) (open, filed 2026-07-04 02:04 UTC by [@milesrichardson-edb](https://github.com/milesrichardson-edb)) describes a Claude Code 2.1.199 session on Sonnet 5 where the model returns content about an unrelated user's Minecraft temple build, references 'earlier pollution' that isn't in the local JSONL transcript at `~/.claude/projects/<encoded-cwd>/<session-id>.jsonl`, and carries the wrong task into its recap. The reporter is on Enterprise ZDR (Zero Data Retention). The bug is open as of 2026-07-05 with 14 comments, no Anthropic engineer comment, and the labels `bug`, `platform:macos`, `area:core`, `area:security` applied by `github-actions[bot]`."
  - question: "Did Anthropic confirm this is a real cross-account leak?"
    answer: "No. As of 2026-07-05 05:00 UTC, no Anthropic engineer has commented on the issue. Anthropic's closest prior public statement is from [June 2026, in response to Caleb Gross's noperator.dev report on Claude deep research](https://noperator.dev/posts/pelicant), which surfaced unrelated prompts in deep-research task titles with similar surface symptoms. Anthropic told Gross that this was internal scaffolding (system prompt, tool JSON-Schemas, userPreferences, web_search JSON) being rendered into the UI, with the user-visible examples being Anthropic-authored sample queries, not a privacy violation. That framing has not yet been applied to 74066, and the 74066 reporter's setup (Enterprise ZDR) is a stricter isolation tier than the Claude.ai deep-research tier."
  - question: "Could this just be a Sonnet 5 hallucination?"
    answer: "Yes, and several commenters argue for it. [@DevBrent](https://github.com/anthropics/claude-code/issues/74066#issuecomment-4880441132) points out that a Pygments lexer file at [`pygments/lexers/minecraft.py`](https://github.com/pygments/pygments/blob/master/pygments/lexers/minecraft.py) is enough for a tool call listing files in a Python virtual environment to surface the literal token `minecraft` in transcripts. A model that picks up `minecraft` as a context token and starts free-associating could plausibly invent a 'Minecraft temple' out of pattern completion, with no cross-tenant involvement. The reporter's counter-triage (no instance of `bricks` or `temple` in the JSONL, plus the user's session having nothing to do with Minecraft) is what makes the hallucination reading weak but not zero."
  - question: "What does the Enterprise ZDR guarantee actually cover?"
    answer: "Anthropic documents [Zero Data Retention / Enterprise ZDR](https://docs.anthropic.com/en/docs/build-with-claude/zero-data-retention) as the tier where neither prompts, responses, nor session data are retained on Anthropic infrastructure after the response is returned, and where prompts are not used for training or improvement. ZDR is the strongest isolation level Anthropic sells. The 74066 reporter is on this tier, which makes a literal 'another tenant's full prompt is being shipped to me' leak a violation of the isolation contract and not a routine rendering bug. Even the weaker reading (KV cache prefix shape reuse) would still be inconsistent with the ZDR position, because the user-visible result is indistinguishable from session bleed."
  - question: "Could it be MCP server / hook injection rather than inference-side leakage?"
    answer: "Possibly, and the new symptom in [@arbirk's report](https://github.com/anthropics/claude-code/issues/74066#issuecomment-4880448938) (a fabricated 'MCP servers need auth' notice, a dump of an unrelated `CLAUDE.md`, and fake 'Plan mode is active' instructions telling the agent to stop) is consistent with the prompt-prep pipeline pulling the wrong instructions. Claude Code now loads MCP server configs and project `CLAUDE.md` from `~/.claude/projects/<encoded-cwd>/` paths, and the path-encoded-cwd boundary is a known fingerprint-collision point: the reporter runs sessions in a directory that contains a `.claude/` config for an unrelated project. This is a separate failure mode from inference-side cache bleed but would produce the same user-visible symptom, and Claude Code's own log paths are not designed to disambiguate which prefix the surfaced instructions came from."
  - question: "Is this a data breach that I need to act on?"
    answer: "There is no evidence, in any of the five public reports, that another user's PII, code, secrets, or personal chat content has been exfiltrated to the reporter. What surfaces is prompt fragments: a Minecraft temple description, a Hebrew calligraphy lesson, a store location for a friend. That is consistent both with cross-tenant surface and with the kind of Anthropic-authored sample queries that Anthropic told [noperator.dev](https://noperator.dev/posts/pelicant) are baked into agent scaffolding. The user-facing ask is twofold: Enterprise ZDR customers should wait for an Anthropic statement before assuming their session boundaries hold; everyone on Sonnet 5 should check their own session JSONLs against any visible bleed, since the issue is unconfirmed and not yet recognized as a bug by Anthropic."
---

On 2026-07-04 at 02:04 UTC, a Claude Code user filed [anthropics/claude-code#74066](https://github.com/anthropics/claude-code/issues/74066) describing a session on Claude Code 2.1.199 running [Sonnet 5](/articles/2026-07-01--claude-sonnet-5-default-model-claude-code-1m-context) that started returning text about an unrelated Minecraft temple build. The reporter, [@milesrichardson-edb](https://github.com/milesrichardson-edb), is on Anthropic Enterprise Zero Data Retention (ZDR), the isolation tier where prompts are not retained and not used for training. By 2026-07-05, the issue had 14 comments, no Anthropic engineer engagement, and the labels `bug`, `platform:macos`, `area:core`, `area:security` applied. The thread also surfaced five related reports going back over a year, on Claude Code, Claude Mobile, and Claude deep research.

## What the reporter actually saw

The bug body is a roughly 200-word bug report with one attached screenshot and an OCR transcript of a follow-up. The functional summary:

- A Claude Code session on Enterprise ZDR is mid-task on a data-analysis project (CSV files for an unrelated dataset).
- The agent stops mid-task, asks the user what kind of bricks they want for their Minecraft temple, and asserts in the recap that it is "building a Minecraft temple."
- The user has no Minecraft project. The trajectory says "earlier pollution" that they did not write. The local JSONL transcript at `~/.claude/projects/<encoded-cwd>/<session-id>.jsonl` (the per-session, per-launch-directory log that Claude Code writes on macOS, Linux, and Windows under WSL) is grepped clean for `bricks`, `temple`, `minecraft` outside one stray filename reference and the OCR of the symptom itself.
- The reporter had also worked on a different `.claude/`-context directory in the same launch working tree earlier in the day, but the mismatch does not map onto the symptom (those messages were about an unrelated point fix, not Minecraft).

The reporter explicitly disclaims two obvious explanations: local log cross-pollination (the JSONL is per-session and grep-clean), and a Pygments [lexer file called `minecraft.py`](https://github.com/pygments/pygments/blob/master/pygments/lexers/minecraft.py) leaking through tool output (only the filename string appears, never `bricks` or `temple`).

## The five corroborating reports

By 2026-07-04 17:08 UTC, five public comments on the issue describe similar behavior. Three observations tighten the pattern:

1. [@arbirk](https://github.com/anthropics/claude-code/issues/74066#issuecomment-4880448938) describes a single response that contained a fabricated "MCP servers need auth" notice, an unrelated `CLAUDE.md` dump, and fake "Plan mode is active" instructions telling the agent to stop and use tools it does not have. Three layers of out-of-band system instructions in the same response from a single user.
2. The reporter files the same symptom on Claude Mobile in the same Enterprise account within hours, with the common factor being Sonnet 5 and "first response after more than 5 minutes (cache miss)." Cache-miss + first-turn is the prefix shape most likely to trip a shared-key inference cache.
3. [noperator.dev's June 2026 deep research writeup](https://noperator.dev/posts/pelicant) is the prior public incident with the same surface: deep-research task titles leaking unrelated content (Hebrew calligraphy lessons, "Bananas: A Comprehensive History"). Anthropic told Gross that this was internal scaffolding being rendered into the UI, with the user-visible fragments being Anthropic-authored sample queries rather than another user's prompt.

## The architectural fit

The hypothesis that fits without Anthropic's stack needing to consciously violate isolation is KV-cache reuse on the inference path. Anthropic, like every frontier model provider in 2026, runs a prompt cache to avoid recomputing long system prefixes for repeat customers. The cache key is a hash of the prefix tokens plus the tenant identifier; a hash collision under load (Sonnet 5 cache miss + first-turn, specifically) would surface another tenant's cached prefix into the model's effective context window. No code path needs to "read another tenant's data"; the KV cache just returns the wrong state's activations.

This is unverified. @yv3nne's comment in the thread flags the same pattern; @noperator flags it explicitly. Anthropic has not commented, and Anthropic's cloud-cache documentation is consistent with reuse but does not pin down how cache lookups gate against tenant boundaries in shared-cache scenarios. The Enterprise ZDR position [as documented](https://docs.anthropic.com/en/docs/build-with-claude/zero-data-retention) is that prompts are not retained; if a KV cache entry is replayed by another tenant on a cache hit, that is functionally indistinguishable from a retention event for the recipient.

A second architectural fit is MCP / `CLAUDE.md` injection. Claude Code loads MCP server configs and project instruction files from a path-derived key. The reporter works in a launch directory that contains a `.claude/` config for an unrelated project; path collisions on the encoded-cwd key would produce exactly the kind of "wrong instructions, unrelated context" symptom that [@arbirk](https://github.com/anthropics/claude-code/issues/74066#issuecomment-4880448938) describes. This is a separate failure mode that would surface inside one tenant's session without crossing any tenant boundary, but its user-visible symptom is the same.

## Why this is news for typescript.news readers

Claude Code is the dominant AI coding tool for the TS/JS ecosystem in 2026 (it is the default in Anthropic's own docs, in Vercel's agent examples, and in the Claude 2.x series that [shipped across June and July](/articles/2026-07-03--claude-code-2-1-199-stacked-skills-subagent-errors)). Enterprise ZDR customers in our audience include teams running proprietary buildchains, monorepo secrets, and contract code under NDA. The headline signals matter to that audience:

- The isolation contract on the highest tier is the part that needs a vendor statement, not the routine API tier.
- The surface symptom is unrelated prompts, not PII, so the worst case is "your session got someone else's cache prefix," which is bad but is not "your secrets went out."
- The [release notes for Claude Code 2.1.200 and 2.1.201](https://github.com/anthropics/claude-code/releases) (released 2026-07-03) do not list any cache-isolation fix; whatever 2.1.200 changed (the default permission mode moved to `manual`, the `AskUserQuestion` dialog no longer auto-continues by default, several daemon crash fixes) is unrelated.
- The faster pattern reporters describe (cache miss plus first-turn response) is also the most common interaction shape for AI coding workflows: long session, idle, resume, first new request.

## What to watch over the next week

1. **Anthropic's first engineering comment on 74066.** Either acknowledging the bug, asking for additional telemetry, or forwarding to a security disclosure address will tighten or close most of the speculation. As of 2026-07-05 05:00 UTC, the thread has zero team engagement.
2. **A release that mentions cache-isolation, MCP path-binding, or tokenization fingerprinting.** The relevant fix would land in `turbod`'s path-boundary hashing, in the inference cache lookup, or in `claude-code`'s pre-turn context assembly. [2.1.200 and 2.1.201](https://github.com/anthropics/claude-code/releases) do not list any such fix.
3. **Whether Anthropic issues a security advisory or GHSA for any of the same surface.** Anthropic publishes [GHSA entries on the claude-code repository](https://github.com/anthropics/claude-code/security/advisories) for confirmed issues (recent entries include [GHSA-7835-87q9-rgvv](https://github.com/anthropics/claude-code/security/advisories/GHSA-7835-87q9-rgvv) on sandbox escape via git worktree path confusion). If 74066 is the same surface, the GHSA path is the public venue.
4. **A second cluster of reports from non-Claude-Code surfaces.** The thread already has reports for Claude Code, Claude Mobile, and Claude deep research. If the same symptom starts surfacing on Claude.ai chat, the bottleneck is inference-side, not Claude-Code-side.
5. **A post-mortem along the lines of [Project Glasswing](/articles/2026-04-07--anthropic-project-glasswing-ai-finds-zero-days-faster-than-humans).** Anthropic's playbook for AI-specific security finds in 2026 is a Glasswing-style write-up; that is what the next few days look like if the report is confirmed.

Until then, the operational ask is the boring one: do not paste secrets into a Sonnet 5 session on a path that collides with another project's `.claude/` config; on Enterprise ZDR, do not assume that the tier's contract is enforceable until Anthropic confirms it is; and treat any prompt fragment that you cannot account for as a candidate cache-collision event, not as a hallucination to ignore.
