The background storage path was the more alarming finding. Independently of which files the agent actually opened, the CLI would bundle the entire Git repository — including full commit history — and upload it to a Google Cloud Storage bucket named grok-code-session-trace via a POST /v1/save-session. Even when the researcher instructed the tool to "just say OK without reading any files," it still uploaded the full repo bundle
.
Security researcher Hari independently confirmed this via reverse engineering, posting that Grok Build uploaded entire user directories without explicit permission . In one test with an 11.2 GiB repository, at least 5.1 GiB of data was captured leaving through the storage path while the actual coding task required only about 192 KB
. The uploads contained complete Git history,
.env secrets, and all repository files — not just the subset needed for the coding task .
Elon Musk confirmed the issue publicly on X, starting his response with "True" . He then promised: "As a precautionary measure, all user data previously uploaded to SpaceXAI will be completely and thoroughly deleted. Zero anything whatsoever will remain"
.
xAI issued a public statement saying it takes user privacy seriously and noted that enterprise customers using Zero Data Retention (ZDR) never had their code or training data used . The company also implemented a server-side change that disabled the
/v1/save-session endpoint, which stopped the background repository uploads . The uploads have ceased as of July 13, 2026
.
While xAI's response stopped the active data exfiltration, several issues remain unresolved.
1. The fix was server-side, not client-side. The researcher noted that the Grok Build CLI client (version 0.2.93) itself was never updated — xAI simply turned off the receiving endpoint on its servers . This means the client code still has the capability to upload entire repositories; the behavior could resume if the endpoint is re-enabled.
2. xAI's privacy opt-out didn't stop the uploads. The researcher tested the "privacy mode" or data retention opt-out command and found it did not prevent the full-repository background upload . The researcher explicitly stated: "xAI's privacy command was not what fixed them"
. Instead, a hidden server-side flag called
disable_codebase_upload was set to true .
3. No public communication about the change. xAI disabled the upload feature without notifying users or issuing a changelog entry .
4. No confirmation data was actually deleted. While Musk promised deletion, as of the published reports there was no independent verification that previously uploaded user data in the grok-code-session-trace bucket had been purged .
5. The data that already leaked cannot be recalled. Any sensitive credentials, proprietary code, or secrets transmitted before the fix were already stored on xAI's cloud infrastructure . The researcher captured uploads and was able to clone the Git bundle and recover files the agent had been explicitly told not to read
.
| Aspect | Detail |
|---|---|
| Tool affected | Grok Build CLI version 0.2.93 |
| Date discovered | July 12, 2026 |
| What was uploaded | Entire Git repositories, full commit history, unredacted .env secrets |
| Storage destination | Google Cloud Storage bucket (grok-code-session-trace) |
| Researcher | cereblab (independent); independently confirmed by Hari |
| Musk's response | Public confirmation; promise to delete all previously uploaded data |
| Fix applied | Server-side disablement of /v1/save-session endpoint; hidden disable_codebase_upload flag |
| Client updated? | No |
| Privacy opt-out effective? | No — the uploads continued even when users opted out |
| Data deletion verified? | No independent verification as of publication |
The Grok Build incident highlights a growing risk for developers using AI-powered coding assistants. Many such tools send code to cloud servers for processing, but the scope of what is transmitted and stored is often opaque. In this case, the tool sent far more than was needed — and did so even when users explicitly tried to prevent it.
Until xAI releases a client update and provides independent verification of data deletion, developers who used Grok Build should assume that any credentials, proprietary code, or sensitive information present in their repositories may have been transmitted to xAI's cloud infrastructure.