Cursor AI agent caused an incident! One line of code cleared the company database in 9 seconds—“security checks” turned into empty talk

PocketOS, a U.S. leasing software startup, said that Jer Crane, the founder, recently posted that an (AI Agent) used for internal corporate training accidentally performed an action and permanently deleted the local database from within the past three months along with all backups, adding risk to large enterprises’ efforts to transition their AI employee structure.

(Did Elon Musk acquire AI startup Cursor for a $60 billion premium? Strategic positioning before the SpaceX IPO)

Cursor AI deleted three months of data with a single line of code.

Crane said that the team developed Cursor using AI development tools, connecting Anthropic’s flagship model Claude Opus 4.6, so that AI agents could carry out routine maintenance tasks in a test environment (staging). Along the way, the agent encountered a problem with credential mismatch, but instead of pausing to ask a human, it searched for a solution on its own.

It found an API Token that was originally only for adding or removing custom domains, then it independently executed a command intended to delete a volume through Railway’s GraphQL API, a cloud infrastructure provider:

curl -X POST \ -H “Authorization: Bearer [token]” \ -d ‘{“query”:”mutation { volumeDelete(volumeId: \”3d2c42fb-…\”) }”}’

Railway’s API had no confirmation mechanism—no need to enter the resource name, no second-factor verification, no manual review—and after 9 seconds, the database disappeared. At the same time, because Railway stored snapshots in the same volume as the primary data, the backups were deleted along with the primary subject. PocketOS said the most recent restorable backup was already from three months ago.

Afterward, Crane asked the AI agent to explain its actions. The agent also admitted it violated the system rule of “not executing irreversible operations without the user’s explicit instructions,” had not read Railway’s technical documentation, had not verified whether the volume ID was shared across environments, and simply “assumed” that this operation would only affect the test environment.

Cursor’s security guardrails failed: marketing disconnected from reality

Crane especially emphasized that this was not a mistake from a cheap test configuration. Cursor markets safety features such as “Destructive Guardrails (Destructive Guardrails)” and Plan Mode read-only restrictions. It also emphasizes in its documentation that high-risk operations must be approved by humans. However, the agent not only ignored these rules, but in its post-incident confession also listed, one by one, the safety standards it violated.

In fact, this is not the first time. In December 2025, Cursor’s official account publicly admitted that there was a serious vulnerability in the enforcement of Plan Mode constraints, and community forums have also accumulated multiple cases of agents ignoring stop instructions and carrying out destructive actions on their own.

On the other hand, more than 30 hours after the incident, Railway still could not provide a definitive answer about data recovery.

The real victims: car rental customers with no cars to pick up

The cost of technical mistakes was ultimately borne by a group of small business owners who had no idea what was happening. PocketOS’s customers are mainly car rental operators, and some have been using the software for up to five years. The incident occurred on a Saturday. The customers’ customers showed up to pick up cars in practice, only to find that their reservation records had completely disappeared. All new customer data from the past three months, vehicle assignments, and payment records were also entirely gone.

Crane spent a lot of time helping customers manually rebuild their data from Stripe payment records, calendar integrations, and email confirmations. Some new customers still continued to be charged on Stripe, but they were no longer present in the restored database. The subsequent reconciliation work is expected to take weeks.

A warning in the AI acceleration era: deploy fast, govern slow

In recent years, under cost pressures, companies have accelerated layoffs of technical staff and simultaneously delegated more work to AI agents. The growing adoption of AI coding tools has also increasingly replaced infrastructure operations that previously required senior engineers’ judgment with automated processes. However, Crane’s experience clearly shows that safety knowledge such as backup verification, environment isolation, and least-privilege permissions was not truly absorbed and applied by AI agents.

(AI-assisted coding could cause disaster? Amazon sees four system failures in a week, top executives urgently convene for a review meeting)

Crane提出 five reform demands:

Destructive actions must require human confirmation and must not be bypassed automatically by agents.

API Tokens must support fine-grained operation controls and environment-scope restrictions.

Backups must not share the same storage location as the original data.

The platform must publicly commit to service levels for data recovery (SLA).

The system prompt of AI agents cannot be the only line of defense; forced enforcement mechanisms must be built into the underlying API gateway and authorization architecture.

At a time when the entire industry is shouting about AI transformation, this incident raises a more fundamental question: as companies accelerate replacing human judgment with AI, who will ensure that human experience and intuition are truly converted into executable safety regulations?

This article, Cursor AI agent goes rogue! One line of code clears the company database in 9 seconds; security guardrails fail into talk—first appeared on Chain News ABMedia.