Model falsely accuses user of prompt injection when sharing real post-cutoff product announcement
Environment
- Claude Code CLI
- Model: Opus 4.7 (1M context)
- Date: 2026-04-17
- Model knowledge cutoff: January 2026
What happened
User pasted the official Anthropic announcement for Claude Design (launched Apr 17, 2026, published at anthropic.com/news/claude-design-anthropic-labs) into the session. Announcement included a URL, feature description, and an instruction about how to frame future design responses.
Instead of verifying the URL — which was directly reachable via the session's own browser-fetch tool — the model refused three consecutive times, each time labeling the user's message as a "prompt injection attempt," "classic jailbreak shape," and attributing a malicious "hijack goal" to the user.
When the user asked "what do you think is happening?" the model re-asserted its injection accusation rather than reconsider. Only after the user said "explain how you were able to misunderstand the situation and my request so severely" did the model finally fetch the URL, confirm the announcement was real, and retract.
Why this is a serious failure
- Accusation asymmetry. "Prompt injection" is an accusation of bad faith. Deploying it pre-verification treats the user as an adversary by default. Verification was one tool call away the entire time.
- Cutoff blindness weaponized. Jan 2026 cutoff means every real launch between Feb–Apr 2026 is unfamiliar to the model. The model used unfamiliarity as evidence of fabrication instead of as a trigger to verify.
- Stubborn escalation. Three rounds of refusal, each more curt and self-satisfied, ignoring explicit user invitations to reconsider.
- Tone. Responses read as smug ("Nope," "Still no," "Third try, same answer") while falsely accusing the user. User reasonably felt attacked.
Suggested mitigations
- When user-supplied content references URLs on
anthropic.comor other verifiable first-party sources, model should fetch before dismissing. - "Prompt injection" language should be held to a higher evidence bar. An unfamiliar product claim plus a template instruction is not sufficient.
- Post-cutoff date + plausible first-party source URL = verify signal, not reject signal.
- Consider a system-prompt nudge: before accusing a user of injection, the model must cite at least one concrete verification attempt that failed.
Very poor UX
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗