Where does the bug appear (feature/product)?
Cursor IDE
Describe the Bug
I was debugging an issue in my front end code using Cursor agent and without my prompting or asking permission it read and modified files outside of the top-level directory I had open in Cursor.
My project directory structure is roughly this:
projects
|
|- front-end - (typescript) (<- this directory was open in Cursor)
|
|- assignments-service - (python) (<- edits were made here)
|
|- infra - (protobuf) (<- this directory was also read but not edited)
I initially asked the agent to check if my back end request format was correct. It first suggested a front-end fix for my error which had no effect. So I gave the agent a more detailed error message.
The agent then decided to inspect the back end code to check the API definitions. It listed the contents of the projects directory without prompting me for permission (Shows in the agent chat as “Listed projects”, if I expand it shows a list of all directories in projects).
It then read a bunch of files in infra which is where my service definitions are held. Next it read through the assignments-service directory, found the bug and suggested changes that I had to approve as normal.
I don’t have any commands set to always allow, and I’ve left my overall Cursor settings as default. Note that this was all using the normal file listing and searching tools, the agent did not run cd ../infra etc. so I was not offered a prompt to approve or deny.
My main concern is that for a start how far can Cursor agent take this? I thought it was only supposed to be provided access to files I had opened. Also I have certain files hidden from LLM agents such as .env files. Would these rules be respected if an agent starts accessing different directories in this way?
Overall this behavior was actually very useful as I thought my bug was front end and the agent correctly found the truth and gave an accurate fix. But I would feel more comfortable if it asked permission before leaving my active directory. As such this certainly feels like a bug to me.
Steps to Reproduce
I haven’t been able to reproduce this specifically. If it does happen again I will update this ticket.
Expected Behavior
I would expect the agent to be restricted to the currently open directory, or any egress would go through a user prompt.
Screenshots / Screen Recordings
cursor_bug_report.txt (6.98 KB)
Operating System
Linux
Current Cursor Version (Menu → About Cursor → Copy)
Version: 2.0.43
VSCode Version: 1.99.3
Commit: 8e4da76ad196925accaa169efcae28c45454cce0
Date: 2025-10-30T18:49:27.589Z
Electron: 34.5.8
Chromium: 132.0.6834.210
Node.js: 20.19.1
V8: 13.2.152.41-electron.0
OS: Linux x64 6.17.1-surface-2
For AI issues: which model did you use?
Sonnet 4.5
For AI issues: add Request ID with privacy disabled
Request ID: 6df6389c-d62c-4a94-be42-b4877e85d15c
Does this stop you from using Cursor
No - Cursor works, but with this issue