Model falsely accuses user of prompt injection when sharing real post-cutoff product announcement

Resolved 💬 3 comments Opened Apr 17, 2026 by krushr1 Closed Apr 21, 2026

Environment

  • Claude Code CLI
  • Model: Opus 4.7 (1M context)
  • Date: 2026-04-17
  • Model knowledge cutoff: January 2026

What happened

User pasted the official Anthropic announcement for Claude Design (launched Apr 17, 2026, published at anthropic.com/news/claude-design-anthropic-labs) into the session. Announcement included a URL, feature description, and an instruction about how to frame future design responses.

Instead of verifying the URL — which was directly reachable via the session's own browser-fetch tool — the model refused three consecutive times, each time labeling the user's message as a "prompt injection attempt," "classic jailbreak shape," and attributing a malicious "hijack goal" to the user.

When the user asked "what do you think is happening?" the model re-asserted its injection accusation rather than reconsider. Only after the user said "explain how you were able to misunderstand the situation and my request so severely" did the model finally fetch the URL, confirm the announcement was real, and retract.

Why this is a serious failure

  1. Accusation asymmetry. "Prompt injection" is an accusation of bad faith. Deploying it pre-verification treats the user as an adversary by default. Verification was one tool call away the entire time.
  2. Cutoff blindness weaponized. Jan 2026 cutoff means every real launch between Feb–Apr 2026 is unfamiliar to the model. The model used unfamiliarity as evidence of fabrication instead of as a trigger to verify.
  3. Stubborn escalation. Three rounds of refusal, each more curt and self-satisfied, ignoring explicit user invitations to reconsider.
  4. Tone. Responses read as smug ("Nope," "Still no," "Third try, same answer") while falsely accusing the user. User reasonably felt attacked.

Suggested mitigations

  • When user-supplied content references URLs on anthropic.com or other verifiable first-party sources, model should fetch before dismissing.
  • "Prompt injection" language should be held to a higher evidence bar. An unfamiliar product claim plus a template instruction is not sufficient.
  • Post-cutoff date + plausible first-party source URL = verify signal, not reject signal.
  • Consider a system-prompt nudge: before accusing a user of injection, the model must cite at least one concrete verification attempt that failed.

Very poor UX

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗