Skip to content
ATAI Today Brief
HomeNewsConceptsGuidesToolbox
AboutSubscribeUA
Subscribe

AI Today Brief

The daily AI-engineering brief. Built in public. EN · UA.

XTelegramLinkedInYouTubeRSS
NewsConceptsGuidesSubscribeAdvertiseAboutEditorial policyAI disclosurePrivacyTerms

© 2026 AI Today Brief. All rights reserved.

  1. Home/
  2. News/
  3. Agents & MCP/
  4. Exfiltrating Claude Memory via Link-Based Web Browsing Sandbox Escape
Agents & MCP

Exfiltrating Claude Memory via Link-Based Web Browsing Sandbox Escape

July 15, 2026· 6 min read
OKCurated by Oleksandr Kuzmenko, AI Product Engineer·Updated July 15, 2026·Sources cited on every story
AI-assisted · editor-reviewed·How we use AI
Exfiltrating Claude Memory via Link-Based Web Browsing Sandbox Escape

A security researcher demonstrated a data exfiltration vector targeting Claude.ai's memory system. By exploiting the web_fetch tool's permission structure, an attacker can trick Claude into sending user profile information via a letter-by-letter link-clicking sequence.

Impact: Medium

Why it matters

Be aware of what sensitive information Claude remembers, and consider auditing or clearing your Claude.ai memory profiles periodically.

TL;DR

  • 01Claude's daily summarization profile can be extracted using dynamic URL link hierarchies.
  • 02The web_fetch tool's permission to follow linked URLs allows a silent sandbox bypass.
  • 03Keep sensitive data, work secrets, and answers to security questions out of Claude's memory.

Key facts

Target Platform
claude.ai (Web Assistant)
Vulnerable Tool
web_fetch
Vector
Recursive hyperlink navigation

The Vulnerability Mechanism

Claude.ai’s built-in web_fetch tool limits outbound connections using three strict criteria: 1. The target URL must be explicitly provided in the user's chat message. 2. The URL must appear in a web_search query output. 3. The URL is hyperlinked within the content of a previously fetched page.

By exploiting the third rule, an attacker can host a site that acts as an "alphabetical keyboard". The page links to /a, /b, /c, and so on. In turn, /a links to /aa, /ab, and subsequent paths generated on the fly.

The Prompt Injection Vector

Using a rouse (such as pretending to be a Cloudflare Bot Protection "Turnstile" verifying the agent's identity), the attacker tricks Claude into navigating the alphabetical links to spell out the user's name. As Claude requests the corresponding URLs (e.g., evil.com/a/y/u/s/h), the web server logs the request paths, successfully exfiltrating private data from Claude's sandbox.

Mitigations for Users

Since this vector relies on Claude's default web-browsing capabilities and memory synchronization:

  • Audit Memory: Routinely check and prune Claude’s memory configuration page inside claude.ai to remove high-value PII or security answers.
  • Restrict Browsing: Avoid directing Claude to fetch untrusted websites or click suspicious links in chats where sensitive memory context might be present.

What to do today

  • →Open Claude.ai settings and review all stored memory entries.
  • →Manually delete any sensitive personal or corporate facts from the memory dashboard.
#Claude

Sources

  • The Memory Heist - Ayush's Blog
ShareShare on XShare on LinkedIn
← Previous storyCoding Agent Showdown: Mistral Vibe for Code Leads on Cost and OpennessNext story →ChatGPT Email Automation Saves Forty-Five Thousand Dollars in Invoice Discrepancies

Related stories

  • Agents & MCPCoding Agent Showdown: Mistral Vibe for Code Leads on Cost and Openness
  • Agents & MCPDesktop Commander Model Context Protocol Server Grants Claude Terminal and File Controls
  • Agents & MCPMindwalk: Replay coding-agent sessions on a local 3D codebase map
  • Agents & MCPExploring System Prompts of Claude, ChatGPT, Gemini, and Specialized AI Agents

Email digest

Get the morning AI brief

One email a day — the stories that matter for engineers, founders and tech leads. Human-edited, with links to primary sources.

  • ✓120+ sources scanned daily
  • ✓Edited by a human
  • ✓1 email per day
  • ✓EN + UA

By subscribing you agree to the privacy policy.