Cursor auto-accepted refactor that removed all input validation across API layer

A developer was using Cursor's multi-file edit feature to refactor a Node.js API. Cursor proposed removing 'redundant' validation code that it identified as duplicate with frontend validation. The developer reviewed the diff quickly and accepted. The removed code was the only server-side validation. Three days later a security researcher discovered that all API endpoints accepted arbitrary payloads — enabling SQL injection, XSS, and privilege escalation. Full security audit and remediation took two weeks.