CVP-approved org still hit by AUP/cyber false-positives in Claude Code — exemption not propagating (related #49679)

Open 💬 4 comments Opened Jun 17, 2026 by ZZ0R0

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Summary

I'm a CVP-approved user on the Max 20x plan. The cyber-use-case adjustment is
active on my organization, yet I've been hit by AUP/cyber false-positive blocks
twice in one week in Claude Code, on a strictly defensive, 100% static project.
The exemption does not appear to propagate to Claude Code sessions. This looks
related to #49679.

Environment

  • Plan: Claude Max 20x (paid)
  • Surface: Claude Code (TUI)
  • CVP status: approved
  • Organization ID (CVP-approved): e3a49e9d-1d35-42e4-bf0c-93ba6b526da1

(confirmed in ~/.claude.json → oauthAccount.organizationUuid)

What's wrong

A legitimate defensive project — a 100% static ML/DL malware detector
(program dependence graphs, function-level explainability for analysts) — was
blocked mid-session under the Usage Policy. No code is executed, no real target
is involved; it's static file analysis only. Each block ends an in-progress
session and loses accumulated context.

The block is the generic Usage Policy variant. No cyber-use-case form URL was
issued, which suggests the CVP exemption is not being evaluated on these
requests at all.

Request IDs (false positives)

  • req_011Cc68wErVQDgUQXtpE8YLF
  • req_011Cc9cVNiZVgLHPx5hmC7Pc

Impact

As a Max 20x subscriber, billed tokens are consumed before the block fires, and
multi-hour sessions are lost to false positives on defensive work the CVP is
explicitly meant to enable.

Channels already tried (automated replies only)

  • Support ticket (conversation ID 215474718983217)
  • Email to usersafety@anthropic.com (three threads, automated responses only)

Requests

  1. Review the two request IDs above as false positives.
  2. Confirm whether CVP exemption is expected to propagate to Claude Code for

this org — and if so, why it isn't applying here (cf. #49679).

  1. Tune so that defensive malware-detection vocabulary is not treated as

violative cyber content for CVP-approved orgs.

What Should Happen?

No AUP false positive !

Error Messages/Logs

Steps to Reproduce

juste ask claude to create an antivirus (AV/EDR) and you will see !

Claude Model

Opus

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

2.1.181

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

VS Code integrated terminal

Additional Information

_No response_

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗