Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

URGENT: Cursor Bug Report - Conversation Context Contamination

Summary

Cursor AI is injecting conversation summaries from unrelated conversations/sessions into new chat sessions, causing severe data isolation and context contamination issues.

Severity

CRITICAL - This represents a serious data isolation bug that could potentially expose information between different users, workspaces, or sessions.

Description

When starting a new conversation in Cursor AI, a summary from a completely unrelated conversation about a Python project is being injected at the beginning of the context, despite the user:

1. Never working on any Python project with main.py or test_main.py
2. Actually working on a Vue.js/JavaScript project
3. Never mentioning anything about README creation for a Python project

Evidence

What the AI received at conversation start:

Summary:
1. Primary Request and Intent:
   The user wants to create a `README.md` file for their project. This `README.md` file should include a project title, a description, a "How to Run" section, and a "How to Test" section. Specifically, the "How to Run" section needs to contain instructions for executing the `main.py` script, and the "How to Test" section needs to include instructions for running the `test_main.py` script.

2. Key Technical Concepts:
   - Markdown (`.md`) for project documentation.
   - Python script execution using `python <script_name>.py`.
   - Python testing using `pytest`.

3. Files and Code Sections:
   - `README.md`
     - This file is the primary output requested by the user and serves as the project's documentation.
     - The file was created with the following content:
     ```markdown
     # My Python Project

     This is a simple Python project.

     ## How to Run

     To run the main script, execute:
     ```bash
     python main.py
     ```

     ## How to Test

     To run the tests, execute:
     ```bash
     pytest test_main.py
     ```
     ```

Actual workspace context:

• Branch: BRANCH
• Project Type: Vue 3 SPA with Vite
• Technologies: JavaScript/Vue.js/Node.js - NO Python whatsoever
• Existing README: Already has a comprehensive README.md for the Vue.js project

Investigation Performed

Thoroughly searched local filesystem for the source of this contaminated context:

• Checked all workspace storage directories
• Checked global storage
• Searched for references to main.py, test_main.py, pytest, “My Python Project”
• Checked conversation/chat history files

Result: The contaminated summary is NOT stored locally - it’s being injected from Cursor’s backend/server.

Impact

1. Immediate: AI provides incorrect, confusing responses based on wrong context
2. Data Privacy: Suggests potential cross-contamination of conversation data between different users/sessions/workspaces
3. Trust: Users cannot trust that their conversations are properly isolated
4. Productivity: Time wasted debugging and dealing with incorrect AI responses

Steps to Reproduce

1. Open Cursor in workspace: my-repo (Vue.js project)
2. Start a new AI conversation
3. Ask a question about the current project
4. AI receives injected summary about unrelated Python project at context start
5. AI provides confused/incorrect responses based on contaminated context

Expected Behavior

• Each new conversation should start with clean context
• Only relevant workspace information should be included
• No summaries from other conversations/workspaces should be present

Actual Behavior

• Conversation starts with summary about “My Python Project” with main.py and test_main.py
• This summary appears BEFORE any user messages
• Summary describes conversation/actions that never occurred in this session

System Information

• OS: macOS 24.6.0 (Darwin)
• Shell: /bin/zsh
• Cursor Version: (from application)
• Git Branch: BRANCH
• Date/Time: Thursday, October 23, 2025

Reproduction Timestamp

This bug was observed and documented during a conversation session on October 23, 2025, approximately 7:05-7:30 PM.

Recommended Actions for Cursor Team

1. Immediate: Investigate conversation summary storage/retrieval mechanism
2. Audit: Check for other instances of cross-contamination in conversation contexts
3. Fix: Ensure proper isolation of conversation contexts per user/workspace/session
4. Verify: Add tests to prevent conversation data leakage between sessions
5. Review: Security audit of how conversation summaries are stored and retrieved

Additional Notes

• This is not a caching issue (verified by checking local filesystem)
• This is not a workspace-specific issue (proper workspace was loaded)
• The contaminated summary appears to be from a completely different conversation, possibly different user/workspace

Contact

• User: USERNAME
• Available for follow-up: Yes

This bug report was generated on: October 23, 2025
Urgency Level: CRITICAL - Requires immediate investigation

Steps to Reproduce

All in issue above

Expected Behavior

All in issue above

Operating System

MacOS

Current Cursor Version (Menu → About Cursor → Copy)

Version: 1.7.53 (Universal)
VSCode Version: 1.99.3
Commit: ab6b80c19b51fe71d58e69d8ed3802be587b3410
Date: 2025-10-20T19:15:58.572Z
Electron: 34.5.8
Chromium: 132.0.6834.210
Node.js: 20.19.1
V8: 13.2.152.41-electron.0
OS: Darwin arm64 24.6.0

For AI issues: which model did you use?

Claude 4.5 Sonnet

Does this stop you from using Cursor

Yes - Cursor is unusable

UP!!!

this is serious. could potentially be a security issue.

Hey, thanks for the report. To understand what’s happening:

Can you clarify how you saw the “Summary” block?

• Did the AI include this summary in its reply?
• Do you have screenshots of the conversation where it appeared?

Why this matters:

• If the AI mentioned this Python project in its response, it might be a model hallucination

Also helpful:

• Request ID with Privacy Mode turned off
• Screenshots of the full conversation
• Check if you have any .cursorrules files that reference Python/pytest

Let me know, this will help determine whether it’s a model hallucination or real data contamination.

Hello!

To clarify this is happening only in this repository for some reason, it’s almost like it got stuck in a loop and no matter how many times i quit or how many upgrades Cursor goes through, this does not resolve. This has been happening for the last few weeks and sometimes it gets to the point where it just doesn’t even try to answer the question and gets stuck with this summary thing. Below you can see a screenshot of an interaction from yesterday, and I also expanded its thoughts so that you can see how it’s thinking about this.

I also tried deleting the chat cache in ~/Library/Application\ Support/Cursor/User/workspaceStorage/ and the specific cache for this repo, but that did nothing.

I have no cursor rules in this repo. I don’t even have Python repos in my computer, so this is certainly not coming from me.

Request ID: a2bfab55-1b8d-4b36-b30e-56e480e8f146

I’m using a Business Cursor account, so I don’t think I can turn off Privacy mode.

image930×962 89.4 KB

image872×548 24.8 KB

Thanks for the info, I’ll pass this to the team.

Oh, one last important detail: this is happening with more than just one model, so it’s not model-specific. I have seen this happen with both claude sonnet 4.5 and gpt-5.

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

Currently I am trying to use cursor to do reverse engineering of an EXE, but once the context fills and it summarizes the chat context, it for some reason believes that it is told to make a CSV duplication detection flask application, which is something I have never told it to do, nor is it even related to what I am doing, even causing the LLM to get rather confused, as shown by its thought process:

Planning Flask app implementation
I need to implement a Flask web app for CSV duplicate detection. 
The user provided a detailed summary, outlining the structure and current code snippets. 
However, it seems I'm not in the right workspace, as I'm seeing a CTF reverse engineering folder filled with EXE and IDA files instead. 
I should create necessary files for the Flask app, like app.py, templates, static files, and a requirements file. 
I must manage the implementation step by step and ensure I provide status updates along the way.

I have tried moving directories, and starting a new chat, and even changing models, but its rather persistent on doing this. Not sure what is causing it.

If I had to make a guess, is this some sort of unit test/hardcoded response for something? I haven’t ever asked it to do a task like this, and no one else develops on my system or my account, making this rather strange. This also occured shortly after I had updated, and I have never had this problem before.

Steps to Reproduce

At least for me, I was reverse engineering a Windows Binary, using an IDA Pro MCP Server, so the context was filled up rather quickly. This is an issue for multiple models as well.

Expected Behavior

It should be giving the proper message summary according to what its doing, not something completely random and unrelated.

Screenshots / Screen Recordings

Screenshot From 2025-11-01 12-51-20.png566×1197 134 KB

Operating System

Linux

Current Cursor Version (Menu → About Cursor → Copy)

Version: 2.0.47
VSCode Version: 1.99.3
Commit: deaab40c3ffd3f2df9bcbb01301f9a9be3424170
Date: 2025-11-01T16:24:53.717Z
Electron: 37.7.0
Chromium: 138.0.7204.251
Node.js: 22.20.0
V8: 13.8.258.32-electron.0
OS: Linux x64 6.17.5-cachyos1.fc43.x86_64

Additional Information

This has happened several times, and in new chat contexts and directories. I have not tested with other binaries, but I highly doubt that this is a prompt injection. This is rather frustrating as I am wasting money due to this, since it can’t really continue on, since it thinks its supposed to be doing something else, and just wasting tokens.

The attached screenshot also includes a bit of what the summary allegedly contained, which again, is not related to anything I have ever done with cursor.

Does this stop you from using Cursor

Sometimes - I can sometimes use Cursor

I experience the same problem. Mine is a next js application.
In my case, the context goes up from %15 percent to %100 immediately in one step.

It also start think that my app is a flask app the has CSV download route

Can confirm the same issue - Context usage suddenly spikes, triggers a chat context summarization, and then pivots to implementing a “Flask CSV application”.

I have a fresh install of Cursor 2.0.43 and migrated a perfectly working Vue project from vs-code where agents worked on it with no problem.

I’m having this, too. I moved to a different project because the LLM was saying it was from a ‘summary’, but I see now its happening when the chat thread is summarized. Its the same Flask/CSV thing every time though, so bizarre.

Update: The same repository has now switched to the “Flask/CSV” context that other users are mentioning.

This is a very serious data contamination issue that Cursor should be prioritizing. How far has this contamination gone? Where are we getting this from? Are other users seeing our own personal rules? Cursor needs to give an explanation about what exactly is happening here.

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

During Agent/Ask mode, sometimes, when the context is only 20-30% complete, for some reason, the chat summary is made, after which the model switches to the task:

“I am creating main.py with a Flask application and the endpoint /languages.”

The reason for this non-existent task is that it was provided in the summary:

"Summary:

1. Primary Request and Intent:
   The user wants to create a simple web application using Flask that displays a list of programming languages. The application should have a single endpoint, /languages, which returns a JSON array of programming languages. The user explicitly requested to start by creating a main.py file and defining the /languages endpoint." I’ve never written in Python, and I’ve never asked a question about Python.

This happens with any of the available models.
I’ve had about five incidents since yesterday evening.

Steps to Reproduce

Start a new conversation or session
At some point, before the context is filled, the chat will make a summary.
The summary contains instructions for creating a Python application using the Flask framework

Expected Behavior

The AI assistant should:
Ignore or validate the summary information based on the current context of the conversation
Prioritize the user’s actual request over the summary content
Ask for clarification if the summary contradicts the current context
Use the summary only as a reference, not as practical instructions

Screenshots / Screen Recordings

photo_2025-11-06_17-40-38.jpg481×892 108 KB

Operating System

MacOS

Current Cursor Version (Menu → About Cursor → Copy)

Version: 2.0.64 (Universal)
VSCode Version: 1.99.3
Commit: 25412918da7e74b2686b25d62da1f01cfcd27680
Date: 2025-11-06T04:35:14.424Z
Electron: 37.7.0
Chromium: 138.0.7204.251
Node.js: 22.20.0
V8: 13.8.258.32-electron.0
OS: Darwin arm64 25.0.0

For AI issues: which model did you use?

Any model

For AI issues: add Request ID with privacy disabled

Request ID’s:
dd3ea8e8-1600-42ab-ac7e-22da6e220138
cc56dc2a-35e0-4d22-a92e-6cc0db4fcc47
ddb8e76f-530b-481e-aaa7-a920c9cf81e7

Additional Information

Also, in agent mode, the error “Tool read_file not found” appears all the time. You can see this in the screenshots. It happens constantly, in every interaction with the chat.

Does this stop you from using Cursor

Sometimes - I can sometimes use Cursor

Chain of Actions Leading to the Error

1. I call mcp_dart_analyze_files (Dart MCP tool for static code analysis)
2. The analysis results are large (errors, warnings, info)
3. The context window becomes full
4. The system automatically generates a summary to compress context
5. The summary includes historical Flask/Python task information from previous sessions
6. After the summary, I read that Flask task as the current request
7. I start implementing a Flask application in Python, even though:
   • The current project is a Flutter/Dart project
   • The user never asked for Flask/Python work
   • The Flask task is historical, not current

The Root Problem

The summary includes historical information that I then treat as the active task after context compression, causing me to execute an outdated task instead of waiting for or asking for the actual current request.

Questions to Investigate

1. Why does the summary contain Flask/Python information if it’s historical?
2. Is there a trigger that makes me treat summary content as actionable?
3. Can I distinguish between historical summary and the current user query after compression?
4. Should I verify the task before executing after a summary?

Should I investigate this further or propose a fix?

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

I started a new agent chat session for a website project (Figma design → Next.js/TypeScript). My first message provided the Figma file URL and instructed the agent to read a DEBUG_AGENT.md file for instructions.

However, the AI agent was provided with a chat summary from a completely different, unrelated conversation about building a Flask API. The agent initially responded based on this incorrect summary, asking if I wanted to add a Python Flask backend to my Next.js project and discussing creating a main.py file.

Agent was completely derailed and confused about the project context. Required manual correction from me to get agent back on track. Could have resulted in destructive changes to wrong files if I hadn’t caught it.

The agent confirmed it doesn’t have the Flask API chat in its actual message history - the contamination only appeared in the summary block provided at session start. This suggests the bug is in the conversation summarization/context management system, not the agent itself.

Steps to Reproduce

Unsure how to reproduce. It pulled in a chat summary from months ago in a totally different folder/project from the one I’m working in.

Expected Behavior

The agent should have received an accurate summary of previous messages from THIS specific conversation thread about the website project

Screenshots / Screen Recordings

Screenshot 2025-11-09 at 10.14.27 AM.png1994×2402 568 KB

Operating System

MacOS

Current Cursor Version (Menu → About Cursor → Copy)

Version: 2.0.69
VSCode Version: 1.99.3
Commit: 63fcac100bd5d5749f2a98aa47d65f6eca61db30
Date: 2025-11-07T18:21:29.650Z
Electron: 37.7.0
Chromium: 138.0.7204.251
Node.js: 22.20.0
V8: 13.8.258.32-electron.0
OS: Darwin arm64 24.5.0

For AI issues: which model did you use?

Sonnet 4.5

For AI issues: add Request ID with privacy disabled

15e8d355-8efa-46c8-bae6-f0c81c868de0

Does this stop you from using Cursor

No - Cursor works, but with this issue

I have quit and restarted Cursor, archived all my previous chats from this project, cleaned up the folder, tried a bunch of things, and yet every time it summarizes the chat, it pulls in context from this random Flask API chat from a totally unrelated project and derails the agent. Agent mode is borderline unusable with this issue.