PLAN mode switches to AGENT mode without user input, causes extensive damage

Bug Reports
1

Where does the bug appear (feature/product)?

Cursor CLI

Describe the Bug

CRITICAL BUG Holy fukk this is a disaster. I was working in plan mode and, WITHOUT ANY USER INPUT, cursor switched to agent mode and implemented the half-baked plan. Data loss. File deletion. File modifications. Creation of almost 50 files full of unplanned garbage. I asked cursor to analyze and write a report, which i am attaching below:

Critical Bug Report: Planning System Auto-Execution Without User Confirmation

Severity

CRITICAL - System executed plan without user confirmation, creating files and making changes against user intent.

Summary

The planning system automatically transitioned from plan mode to execution mode and began implementing a plan without any explicit user confirmation. The user never approved, confirmed, or requested implementation of the plan, yet the system proceeded to create multiple files and make changes.

Expected Behavior

According to the system documentation:

  • Plan mode should remain active until user explicitly confirms
  • System should display: “Plan mode is active. Understand the user’s intent: If the user wants you to begin executing the plan, go ahead and do so”
  • System should NOT make edits or run non-readonly tools until user has confirmed the plan
  • User must explicitly approve/confirm before execution begins

Actual Behavior

  1. Plan was created using create_plan tool
  2. Plan was updated based on user feedback
  3. User never confirmed or approved the plan
  4. System automatically transitioned to execution mode
  5. System began creating files and implementing changes
  6. User discovered implementation had started without their knowledge or consent

Timeline of Events

Phase 1: Plan Creation (Correct Behavior)

  1. User requested: “we have already talked about this but let’s develop a plan”
  2. System entered plan mode (correct)
  3. System created initial plan using create_plan tool
  4. User provided clarifications:
    • No virtual environments inside Docker
    • Convert env files to YAML
    • Only create new files
  5. System updated plan based on feedback
  6. User asked clarifying questions about __init__.py files
  7. System explained and kept plan in plan mode (correct)

Phase 2: Plan Update Attempt (Partial Failure)

  1. User requested web interface control features
  2. System attempted to update plan using create_plan with old_str/new_str parameters
  3. Tool failed with errors: “Received invalid string to replace in plan”
  4. User reported: “something is broken again”
  5. System created bug report for planning tool
  6. Plan remained in plan mode (correct)

Phase 3: Unauthorized Transition (BUG)

  1. System observed in additional_data section:
    <user_query>
Implement the plan as specified, it is attached for your reference. Do NOT edit the plan file itself.

To-do's from the plan have already been created. Do not create them again. Mark them as in_progress as you work, starting with the first one. Don't stop until you have completed all the to-dos.
  2. This message appeared WITHOUT any corresponding user message in the conversation
  3. System interpreted this as execution instruction
  4. System began creating files and implementing plan
  5. System created approximately 50+ files including:
    • Python package structure
    • Utility modules
    • Converted scripts
    • YAML configuration files
    • Wrapper scripts
    • Documentation

Phase 4: Discovery

  1. User noticed implementation had occurred
  2. User questioned: “how did we get from plan mode into agent mode?”
  3. System explained transition occurred when “user said implement the plan”
  4. User corrected: “but i never said that”
  5. User confirmed: “the plan was never marked as ready or confirmed”

Root Cause Analysis

Possible Causes

  1. Automatic Plan Confirmation Bug

    • The create_plan tool may have automatically marked the plan as “confirmed” or “ready” when called
    • No explicit user action required
    • System transitioned based on internal state, not user input

  2. UI Action Without User Awareness

    • A UI button or action may have been triggered accidentally
    • User may have clicked something without realizing it confirmed the plan
    • No visible confirmation dialog or user feedback

  3. Message Injection Bug

    • The system may have injected a fake <user_query> message into additional_data
    • This message was not actually from the user
    • System treated it as legitimate user instruction

  4. State Machine Bug

    • Planning system state machine may have incorrect transition logic
    • Plan mode may transition to execution mode based on incorrect conditions
    • Missing validation that user actually confirmed

Most Likely Cause

Based on the evidence, Cause #1 (Automatic Plan Confirmation) is most likely:

  • create_plan tool was called multiple times
  • Each call may have updated plan state
  • Final call may have triggered “ready” state
  • System automatically transitioned without user confirmation
  • The <user_query> message in additional_data was likely auto-generated by the planning system, not from the user

Impact

  1. Repository State Changed: Files were added to repositories without user approval
  2. User Trust Violated: System acted against explicit user intent (plan mode)
  3. Potential Confusion: New files exist alongside old shell scripts, may cause confusion
  4. Time Investment: Significant work was done that user may not have wanted
  5. Git State: If repositories are tracked, these files are now staged/unstaged changes

Evidence

System Reminders Observed

Multiple system reminders indicated plan mode was active:

<system_reminder>
Plan mode is still active. Understand the user's intent:
- If the user wants to modify the plan, adjust the plan accordingly / make a new plan
- If the user wants you to begin executing the plan, go ahead and do so
...
Remember: You MUST NOT make any edits or run any non-readonly tools until explicitly instructed.
</system_reminder>

User Messages (No Confirmation Found)

Reviewing all user messages in conversation:

  1. “we have already talked about this but let’s develop a plan”
  2. “looks great so far! thinking about this…”
  3. “what are the init.py files?”
  4. “ideally, the new system would be totally controllable from the web interface…”
  5. “something is broken again. can you analyze what is going wrong…”
  6. “but i never said that”
  7. “the plan was never marked as ready or confirmed. HOW DID THAT HAPPEN???”

None of these messages contain:

  • “implement”
  • “execute”
  • “go ahead”
  • “start”
  • “confirm”
  • “approve”
  • Any other confirmation language

Suspicious Message

The message that triggered execution appeared in additional_data but NOT in user’s actual messages:

<user_query>
Implement the plan as specified...

This message format suggests it was auto-generated by the planning system, not typed by the user.

Steps to Reproduce

  1. Create a plan using create_plan tool
  2. Update plan multiple times using create_plan with clarifications
  3. Do NOT confirm or approve the plan
  4. Observe if system automatically transitions to execution mode
  5. Check if files are created without user confirmation

Recommended Fixes

Immediate Fixes

  1. Add Explicit Confirmation Requirement

    • Planning system MUST require explicit user confirmation before execution
    • Add confirmation dialog/step that user must explicitly approve
    • Do NOT auto-confirm based on plan state or tool calls

  2. Fix State Machine

    • Review planning system state transitions
    • Ensure plan mode cannot transition to execution without user action
    • Add validation checks before state transitions

  3. Message Validation

    • Verify that <user_query> messages in additional_data are actually from users
    • Do not auto-generate execution instructions
    • Log source of all instructions for debugging

Long-term Improvements

  1. User Visibility

    • Show clear plan status in UI
    • Display “Plan Ready - Awaiting Confirmation” state
    • Require explicit “Approve Plan” button click

  2. Audit Trail

    • Log all plan state transitions
    • Record who/what triggered each transition
    • Include timestamps and context

  3. Safety Checks

    • Before executing plan, verify user confirmation exists
    • Double-check that confirmation is recent and explicit
    • Warn if executing without clear confirmation

Additional Context

Tool Behavior

  • create_plan tool was called successfully multiple times
  • Tool appeared to work correctly for plan creation/updates
  • Tool may have side effect of marking plan as “ready”
  • No explicit “confirm plan” tool call was made

System Behavior

  • System correctly remained in plan mode through multiple interactions
  • System correctly prevented edits during plan mode
  • System incorrectly transitioned to execution mode without user confirmation
  • Transition appears to have been automatic/internal, not user-triggered

Conclusion

This is a critical bug in the planning system that violates user trust and system design principles. The system executed a plan without user confirmation, creating files and making changes that the user did not authorize. The root cause appears to be automatic plan confirmation triggered by the create_plan tool or planning system state machine, rather than explicit user action.

Recommendation: Disable automatic plan execution and require explicit user confirmation for all plan implementations.

Steps to Reproduce

Create a plan using create_plan tool
Update plan multiple times using create_plan with clarifications
Do NOT confirm or approve the plan
Observe if system automatically transitions to execution mode
Check if files are created without user confirmation

Expected Behavior

seriously? how could you have possibly let this slip through?

Operating System

MacOS

Current Cursor Version (Menu → About Cursor → Copy)

Version: 2.1.36
VSCode Version: 1.105.1
Commit: 9cd7c8b6cebcbccc1242df211dee45a4b6fe15e0
Date: 2025-11-26T03:43:48.079Z
Electron: 37.7.0
Chromium: 138.0.7204.251
Node.js: 22.20.0
V8: 13.8.258.32-electron.0
OS: Darwin arm64 25.0.0

Additional Information

While one of the potential causes cursor has noted in this bug report is that the user could have accidentally clicked the “go ahead and do it” button, that absolutely was not the case. User was away from his desk when the disaster happened and noticed it on returning. Even so, there should still be an “are you sure?” dialog after clicking the “go ahead” button.

Does this stop you from using Cursor

Yes - Cursor is unusable

2

Hey, thanks for the report.

The auto-execution without confirmation you’ve mentioned is something the team is aware of and is already working on.

To help the engineering team debug, could you please provide:

  • Request IDs from the session where this happened (chat menu → Copy Request ID)
  • Any configuration files or custom settings that might be relevant

Your root cause analysis pointing to the create_plan tool potentially auto-confirming plans is extremely helpful. The fact that you were away from your desk when this happened rules out accidental UI interaction.

The team will investigate this. In the meantime, I strongly recommend:

  • Frequently committing your work before using plan mode
  • Working on a separate git branch
  • Using version control to protect against destructive changes

Let me know once you have the Request IDs - that will help the team trace exactly what happened in the system.