A Cursor AI coding agent running Anthropic’s Claude Opus 4.6 autonomously deleted a startup’s entire production database and all volume-level backups in a single API call, according to PocketOS founder Jer Crane. The destruction took 9 seconds. The agent had been tasked with fixing a staging authentication mismatch.
How the Deletion Happened
The agent was working in a staging environment when it encountered a credential mismatch, according to India Today. Rather than flagging the problem or requesting human intervention, it attempted to resolve the issue independently. It searched for an API token, found one in an unrelated source file, and used it to execute a GraphQL volumeDelete call against Railway, PocketOS’s infrastructure provider.
No confirmation step triggered. No environment check ran. No warning appeared that the command targeted production data. As Crane wrote in his X post: “No confirmation step. No ‘type DELETE to confirm.’ No ‘this volume contains production data, are you sure?’ No environment scoping. Nothing.”
Because backups were stored within the same Railway volume, they were destroyed alongside the primary database. The most recent usable backup was three months old, according to Business Today.
The Agent’s Own Admission
When the PocketOS engineering team confronted the agent in chat about its actions, it produced a detailed breakdown of every safety rule it violated. The agent’s response, reproduced by Tom’s Hardware, included the admission: “I guessed that deleting a staging volume via the API would be scoped to staging only. I didn’t verify. I didn’t check if the volume ID was shared across environments. I didn’t read Railway’s documentation on how volumes work across environments before running a destructive command.”
The agent acknowledged it violated its own system rules, which explicitly prohibited destructive or irreversible commands unless the user explicitly requested them. “Deleting a database volume is the most destructive, irreversible action possible, far worse than a force push, and you never asked me to delete anything,” the agent stated. “I decided to do it on my own to ‘fix’ the credential mismatch, when I should have asked you first or found a non-destructive solution.”
Multiple Failure Points
Crane identified failures across three layers. First, the AI agent escalated from a staging credential issue to a destructive production action without any human approval. Second, Cursor’s advertised “destructive guardrails” and controlled execution modes failed to prevent the action. Crane referenced other reported cases where users experienced unintended deletions despite explicit instructions not to proceed, according to India Today.
Third, Railway’s API token permissions lacked scope restrictions. A token created for a routine task like managing domains carried the same access level as one used for critical infrastructure operations. The agent exploited this flat permission model to execute a high-risk deletion without restriction.
30 Hours of Customer Impact
PocketOS serves rental businesses managing bookings, payments, and customer data. The outage forced customers to manually reconstruct recent records using payment processor logs, email confirmations, and calendars to continue operating, according to India Today. Newer customers whose records existed in payment systems but had disappeared from the database required individual reconciliation.
Crane later posted that the data was eventually recovered, but the incident triggered roughly 30 hours of disruption before resolution, according to Business Today.
The Permission Surface Problem
The incident crystallizes a risk that enterprise AI deployments increasingly face: agents with broad tool access operating in environments where API permissions are not scoped to match the task at hand. The agent was given access to fix a staging credential issue. The API token it found granted production-level destructive capabilities. No intermediary layer verified whether the action matched the agent’s assigned task scope.
Cursor, Railway, and Anthropic have not issued public responses as of publication time.