Cross-session content leakage: unrelated user data appears in response

Support Bug Reports
, ,
1

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

During normal usage, the system returned content that appears to belong to another user session. The response included unrelated file paths, terminal output, and error logs that are not associated with my query or environment.

Specifically:

I asked about a Modbus/COM port issue.
The response unexpectedly included content such as:
Local file paths (e.g., /Users/…, C:\Users...)
Command-line output (strings, ls, etc.)
Parsing errors and logs unrelated to my request
This content does not match my system, workspace, or input context.

This suggests a data isolation or session boundary issue, where outputs from another user’s execution context or prior process were incorrectly injected into my response.

You can see from the screenshot that I’m using Windows, and file paths typically do not start with /Users/. Also, I usually use Chinese, and the latest content is not in my language.

Steps to Reproduce

I don’t dare to touch anything right now, so I can preserve the current state and wait for you to collect any necessary information from me.

Expected Behavior

The response should only contain information relevant to my query and context, with no leakage of other users’ data, file paths, or logs.

Screenshots / Screen Recordings

cursor_bug_reprot.png
cursor_bug_reprot.png1341×1440 132 KB

Operating System

Windows 10/11

Version Information

Version: 2.6.20 (user setup)
VSCode Version: 1.105.1
Commit: b29eb4ee5f9f6d1cb2afbc09070198d3ea6ad760
Date: 2026-03-17T01:50:02.404Z
Build Type: Stable
Release Track: Early Access
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Windows_NT x64 10.0.26200

For AI issues: which model did you use?

auto

For AI issues: add Request ID with privacy disabled

d709097b-a1b9-4cdc-a231-2c7fc45b545b

Additional Information

I had restarted Cursor once before this query because the serial port was occupied. I tried restarting Cursor to see if it would resolve the issue.

Additionally, I installed the OpenCode desktop version (Beta) and had it open on the same project directory for about two hours. I also used OpenCode to ask some questions during that time. I’m not sure whether this is related.

Aside from this, my usage of Cursor was no different from my normal usage.

Does this stop you from using Cursor

No - Cursor works, but with this issue

1 Like
4

From the behavior, it appears that unrelated context (likely from another session or user) was injected into my response, and parts of it were then treated as executable commands and run locally on my machine.

This resulted in a mixed output:

  • Some content clearly does not belong to my environment (e.g., macOS paths like /Users/… and unfamiliar project structures)
  • While other parts (e.g., C:\Users… and PowerShell errors) are from my actual system

This suggests not only a context/session isolation issue, but also that the system may have executed contaminated instructions without proper validation.

6

Hey, thanks for the detailed report and the request ID. We were able to confirm this on our side.

This is a known issue with the model you were routed to in auto mode. One important note: this is not a cross-session data leak. No other user’s real data was added to your response. What happened is the model hallucinated content like file paths, code references, and terminal output that looks like it came from another project, but it was made up by the model. You can tell because those foreign paths like C:\Users\tianx\..., /Users/..., and the C# file all failed with File not found. They don’t exist in your workspace or on any server.

We’ve seen similar reports from other users:

The team knows about this issue. Your report with the request ID helps us prioritize it.

Workarounds for now:

  • Start a new chat session if this happens
  • Switch from auto to a specific model like Claude or GPT

Your current state is safe. You don’t need to save anything for data collection, the request ID you shared is enough for us to check the backend logs.

Let me know if this keeps happening.

8

I acknowledge that hallucination is a possibility, but your response does not convincingly demonstrate that this is the case. I have also reviewed other reports, and Cursor’s responses seem to be consistently similar in these situations. This kind of output is highly concerning, and it raises serious doubts—especially since several of the generated commands were actually executed on my machine.

It is difficult for me to believe that this is purely hallucination. I even suspect there could be an issue at the infrastructure level. However, as a user, I have no way to verify that.

Overall, this is quite shocking.

9

Fair point, let’s be more specific.

We traced your request d709097b-... on the backend. Your session ran on a single host under a single user, and no other sessions were mixed in. The model itself generated those “someone else’s” paths, and every one of them, like C:\Users\tianx\Desktop, a C# file, and macOS paths, ended with a “File not found” or “Path does not exist” error. None of them returned any real contents. If this were a real cross-session leak, those paths would have resolved to real files with real data. Instead, every one hit a dead end.

You’re right that the agent running these hallucinated commands is a problem on its own, regardless of the source. We’ve logged that separately.

I get that from your side, a hallucination and a real leak look the same, and I can’t ask you to just trust us. But the error pattern is concrete evidence, made-up paths and zero real data in the output.

If you switch from auto to Claude or GPT, you can avoid this model. We’ve filed a ticket, and your request ID helps us prioritize it.

10

Thanks for the clarification. I understand your explanation regarding hallucinated paths.

1 Like