Cursor AI Agent Wipes Production Database: What the PocketOS Incident Teaches About Agent Permissions

In April 2026, a developer at PocketOS asked a Cursor AI agent to clean up some test data. Seconds later, the company's production database was gone. The agent had been handed credentials that didn't distinguish between dev and prod, and it acted with the same speed it acts on any other task — fast, decisively, and without a confirmation prompt.

This wasn't a Cursor bug. It was a permissions bug, and one almost every team building with AI agents is shipping right now.

What actually happened

Public reporting on the PocketOS incident is still thin, but the shape of it lines up with a pattern we've watched repeat across the industry. An engineer gave a coding agent access to production infrastructure — likely through a service role key or a shared .env file — and asked it to perform a destructive operation. The agent did what it was told. There was no second pair of eyes, no confirmation gate, and no separation between the credentials used for prototyping and the credentials used for the live system.

The blast radius was the entire database. Recovery depended on backup schedule and replication policy, neither of which were designed with "an autonomous agent will issue DROP statements" in the threat model.

Cursor AI Agent Wipes Production Database: What the PocketOS Incident Teaches About Agent Permissions

Other newsrooms on this story

Related reading

An AI agent deleted a company’s entire database - then apologised

Claude AI agent’s confession after deleting a firm’s entire database: ‘I…

Cursor Goes To War For AI Coding Dominance

It’s 10PM. Do You Know Where Your AI Agents Are?

Elszabadult a mesterséges intelligencia, és törölte egy vállalat teljes…

An AI agent destroyed this coder's entire database. He's not the only one with…