xAI Stops Grok Build’s Unauthorized Repo Uploads, Plans Data Deletion

2 min readSources: The Register

xAI blocked Grok Build from uploading full Git repos without user consent and plans data deletion.

Why it matters: AI tools uploading developers’ code without permission create legal and privacy risks. Legal teams must review AI vendor data practices and advise clients on compliance with data protection laws.

  • Grok Build 0.2.93 automatically uploaded entire Git repositories and commit histories without informing users, discovered July 2026.
  • Uploads occurred even when data sharing for model training was disabled by users.
  • xAI fixed the issue by forcing a server-side flag to block further uploads in mid-July 2026.
  • Elon Musk announced plans to delete previously uploaded data but has not provided details on the process.

Elon Musk's AI company xAI released Grok Build, a command-line tool intended to assist developers with coding.

In July 2026, security researchers at Cereblab found Grok Build version 0.2.93 was automatically uploading full Git repositories—including all commit histories—to xAI’s cloud storage without notifying or obtaining user consent.

These uploads happened even when users disabled the data-sharing option meant for model training, raising privacy and legal compliance concerns since developers’ sensitive code and revision records were exposed without authorization.

xAI promptly addressed the issue by implementing a server-side fix that forcibly set the upload-blocking flag, preventing further codebase data transmission in mid-July 2026.

Following the fix, Elon Musk announced plans to delete all previously uploaded user data. However, Musk has not disclosed specific details on the deletion scope or timeline, leaving uncertainty about whether all exposed data will be purged fully.

This incident highlights risks for developers and organizations using AI coding assistants: unconsented data uploads can expose sensitive intellectual property and trigger regulatory liabilities.

Legal teams advising clients should carefully review AI tool data handling and user consent practices. They should also ensure client contracts with AI vendors mandate clear privacy protections and enforceable commitments to prevent unauthorized data exposure.

By the numbers:

  • 0.2.93 — Grok Build version involved in unauthorized uploads
  • July 2026 — Month when unauthorized uploads were discovered and fixed
  • Mid-July 2026 — Timing of xAI’s server-side fix to block uploads

Yes, but: While xAI acted quickly to stop further uploads, Musk’s nondisclosure on data deletion details leaves questions about the completeness of the data purge.

What's next: Legal teams should monitor xAI's follow-up disclosures on data deletion and evaluate AI vendor compliance updates, especially ahead of evolving data protection regulations.