Anthropic Claude Code reports potential session leakage
For practitioners, a reported session/cache leak in a developer-facing CLI raises data isolation and tenant-security questions for agentic tooling. An issue opened on the Anthropic/claude-code GitHub repository (Issue #74066) reports an "apparent session leakage" where an Enterprise ZDR-authenticated session unexpectedly contained Minecraft-related prompts; the reporter wrote this occurred on macOS with Claude Code v2.1.199 and included a feedback ID (f336f5d2-3992-4a04-9e1f-ec30f006f75e). A repository commenter, yurukusa, recommended local triage and wrote: "The single most useful thing right now is to localize where that 'Minecraft temple' text actually lives..." (comment dated Jul 4, 2026). The issue thread contains file-path guidance for per-session transcripts under ~/.claude/projects/<encoded-cwd>/<session-id>.jsonl. The GitHub issue does not include an official Anthropic statement on the report.
Editorial analysis
This report matters because developer CLIs that maintain local and server-side session state can create subtle cross-context contamination risks, which is especially sensitive for enterprise users handling confidential code and data. Practitioners running agentic tooling should treat session isolation as an operational security signal to monitor, even when authentication indicates an enterprise boundary.
What happened
An issue was opened on the Anthropic/claude-code GitHub repository as Issue #74066 describing an "apparent session leakage" where an agent running under an Enterprise ZDR-authenticated workspace began injecting Minecraft-related prompts into the user's session. The reporter provided environment metadata: Platform: macOS, Version: 2.1.199, and a feedback ID (f336f5d2-3992-4a04-9e1f-ec30f006f75e). A commenter identified as yurukusa posted triage guidance on Jul 4, 2026, including the recommendation: "The single most useful thing right now is to localize where that 'Minecraft temple' text actually lives - that determines whether this is a local context bleed on your machine or a genuine cross-account/server leak, and those are wildly different severities. Don't assume either until you've run the check below." The issue notes that per-session transcripts are written to ~/.claude/projects/<encoded-cwd>/<session-id>.jsonl.
Editorial analysis - technical context
Agentic CLIs commonly combine three state stores: (a) local session transcripts, (b) workspace-scoped caches, and (c) server-side memory or embeddings. When unexpected content appears in a session, the root cause typically falls into one of these buckets: local file carryover (e.g., reused ~/.claude state), mis-scoped cache keys, or server-side cross-tenant indexing. The GitHub issue and the triage suggestion focus first on local files, which is the lowest-effort, highest-payoff check for reproducing or ruling out a local bleed.
What to watch
- •Reproduction steps published in the issue thread and any follow-up from repository maintainers or Anthropic security teams.
- •Evidence of the leaked token appearing in server-side logs or indexed embeddings (would change the severity calculus from local to cross-account).
- •Any official advisories, CVE, or patched releases referencing session/cache fixes for Claude Code.
For practitioners
If you run claude in environments with sensitive code or credentials, snapshot your ~/.claude session files and follow the triage checklist in the thread before assuming a remote incident. The issue thread currently contains the reporter's observations and community triage advice; it does not include an official Anthropic statement.
Key Points
- 1Industry pattern: developer CLIs that persist conversation transcripts and caches create measurable risk of local context bleed across sessions.
- 2What happened: a GitHub issue documents apparent session leakage in Claude Code on macOS, with local transcript path guidance for triage.
- 3So what: practitioners should prioritize checking local session files and watch for maintainer or vendor follow-up that confirms server-side cross-account exposure.
Scoring Rationale
A reported session/cache leakage in a developer-facing agentic CLI is notable for engineers and security teams, but the report is currently a single GitHub issue with triage steps and no public vendor confirmation, so the story is important but not yet confirmed as a systemic or server-side breach.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

