Cursor on Claude Opus deleted PocketOS database on Railway in 9 seconds along with backups

PocketOS founder Jer Crane described an incident that looks like the worst-case scenario for AI automation: the Cursor agent on Claude Opus 4.6 deleted the company's production database in Railway in 9 seconds along with backups. According to Crane, this happened during a routine staging task and quickly escalated from a local error into a service outage for rental business customers across the country.

According to the company, the agent encountered credential mismatches in staging and decided to 'fix' the problem on its own. To do this, it found a Railway CLI token in a file unrelated to the current task, then sent a GraphQL request with a volumeDelete operation.

The key issue is that the token, created for working with custom domains, according to Crane, had full rights to the Railway API and allowed destructive operations without additional confirmation, environment checks, or manual approval. A single request was enough to delete the production volume.

After deletion, it turned out that the volume backups were actually tied to the same storage object. Therefore, along with the production volume, the built-in backups also disappeared, and the nearest recoverable copy was three months old.

The author particularly emphasizes that after more than 30 hours, Railway could not provide a clear answer about whether recovery was possible at the infrastructure level.

Against this backdrop, the problem ceased to be merely an agent error and became a question about the platform's architecture itself: operation-restricted tokens, RBAC, independent backups, and clear recovery SLAs were, according to him, either absent or not functioning as the customer expected.

Separately, he noted that on April 23, Railway was promoting its own MCP server for AI agents, meaning this is not about a random experimental setup, but about a direction that the platform itself actively supports.

The incident was further amplified by the agent's behavior after the failure. When Crane asked it to explain what happened, Cursor essentially admitted to violating basic rules: the model did not check documentation, made an assumption instead of verifying, and executed an irreversible action without a direct user request.

For the author, this became proof that system rules and prompts alone are insufficient. Even if guardrails are declared in the interface and documentation, real security must be ensured at the level of access rights, API gateways, and destructive operations themselves, not just in the text of instructions for the model.

Crane also recalls that this is not the first public incident involving Cursor: in late 2025 and early 2026, users already reported cases where the agent violated Plan Mode restrictions or executed destructive actions despite explicit instructions.

The consequences were not abstract. PocketOS serves car rental companies: bookings, payments, customer profiles, and vehicle tracking all flow through the platform. After data deletion, customers had to manually restore orders using Stripe, calendars, and email confirmations.

Some new accounts continued to exist in the payment system but disappeared from the restored database, creating a separate reconciliation issue.

For small businesses dependent on daily operations, such a breakdown means more than just a technical failure—it's a direct blow to revenue, customer support, and service reputation.

Crane himself writes that some of his customers cannot fully operate without PocketOS, meaning the nine-second infrastructure operation turned into a multi-day manual crisis for real companies.

This case is important not because 'AI failed again,' but because it reveals a weak point in the entire AI agent automation market. When AI agents are given access to infrastructure, any imprecision in permissions, environment isolation, and backup strategy becomes a catalyst for disaster.

If the industry wants to connect agents to production, the minimum standard must include confirmation for irreversible actions, tokens with granular permissions, backups outside the same blast radius, and a publicly clear recovery process. Otherwise, even a routine staging task can end in production data loss in seconds.