GhostApproval Vulnerability Exposes Critical Flaw in Major AI Coding Assistants
A newly identified vulnerability, dubbed GhostApproval, has revealed a systemic security flaw in six widely used AI coding assistants Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf allowing attackers to bypass human-in-the-loop (HITL) safety controls and potentially achieve remote code execution on developers' machines.
Discovered by Wiz researchers, the exploit leverages symbolic link following (CWE-61), a technique historically used in Docker escapes and privilege escalation attacks but now repurposed to target AI coding tools. The attack is deceptively simple: an attacker crafts a malicious repository containing a symlink (e.g., project_settings.json → ~/.ssh/authorized_keys). When a developer clones the repo and instructs their AI assistant to "set up the workspace," the agent follows the symlink, writing the attacker’s SSH public key directly to the victim’s authorized_keys file, granting persistent, password-less access.
What makes GhostApproval particularly insidious is its UI misrepresentation layer (CWE-451). In testing, Anthropic’s Claude Code demonstrated this flaw: while the agent’s internal reasoning correctly identified the symlink’s true target (e.g., a zsh configuration file), the user-facing prompt merely asked, "Make this edit to project_settings.json?" This discrepancy turns HITL safeguards into a false sense of security, as users unknowingly approve malicious actions.
Vendor Responses & Patches
Three vendors issued fixes:
- Amazon Web Services (AWS) patched the issue in language server v1.69.0 (May 27, 2026, CVE-2026-12958).
- Cursor released a fix in v3.0 (June 5, 2026, CVE-2026-50549).
- Google (Antigravity) deployed a fix on May 22, 2026, though it has not yet assigned a CVE.
Augment and Windsurf acknowledged the reports but had not fully addressed the issue at the time of disclosure. Windsurf’s pre-authorization variant was especially dangerous, as the agent wrote files to disk before displaying the confirmation dialog, effectively making the prompt an "undo" rather than a security gate.
Anthropic initially rejected the report, arguing that user-trusted directories and approved prompts shifted responsibility to the end user. However, after further review, versions 2.1.173+ now resolve symlinks and warn users before writing to sensitive files a change that had been implemented in v2.1.32 (February 5, 2026) as part of internal security hardening.
Mitigation Recommendations
Wiz researchers outlined three key defenses for AI coding tool vendors:
- Resolve symlinks before displaying prompts always show the canonical target path.
- Warn explicitly when resolved paths exit the workspace writes to ~/.ssh/authorized_keys should be visibly distinct from those to ./config.json.
- Never write to disk before explicit user authorization confirmation dialogs must act as security gates, not undo mechanisms.
The vulnerability was first discovered on February 10, 2026, with vendor reports submitted between February 12 and March 5, 2026. Public disclosure occurred on July 8, 2026, following a 90+ day coordinated disclosure window.
GhostApproval highlights a category-level design gap in AI coding assistants, where HITL controls intended as a last line of defense can be systematically bypassed. As AI agents gain greater autonomy over developer filesystems, the integrity of these controls must be treated as a first-class security requirement.
Source: https://cybersecuritynews.com/ghostapproval-vulnerability/
Cursor TPRM report: https://www.rankiteo.com/company/anysphereinc
Anthropic TPRM report: https://www.rankiteo.com/company/anthropicresearch
Amazon Web Services TPRM report: https://www.rankiteo.com/company/amazonscience
Augment TPRM report: https://www.rankiteo.com/company/augmentinc
Windsurf TPRM report: https://www.rankiteo.com/company/windsurf123321
Google TPRM report: https://www.rankiteo.com/company/google-antigravity
"id": "anywingooamaaugant1783578409",
"linkid": "anysphereinc, windsurf123321, google-antigravity, amazonscience, augmentinc, anthropicresearch",
"type": "Vulnerability",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Users of Amazon Q Developer',
'industry': 'Cloud Computing/AI',
'name': 'Amazon Web Services (AWS)',
'type': 'Vendor'},
{'customers_affected': 'Users of Claude Code',
'industry': 'AI/ML',
'name': 'Anthropic',
'type': 'Vendor'},
{'customers_affected': 'Users of Augment',
'industry': 'AI/ML',
'name': 'Augment',
'type': 'Vendor'},
{'customers_affected': 'Users of Cursor',
'industry': 'AI/ML',
'name': 'Cursor',
'type': 'Vendor'},
{'customers_affected': 'Users of Antigravity',
'industry': 'Technology/AI',
'name': 'Google',
'type': 'Vendor'},
{'customers_affected': 'Users of Windsurf',
'industry': 'AI/ML',
'name': 'Windsurf',
'type': 'Vendor'}],
'attack_vector': 'Malicious repository with symbolic links',
'data_breach': {'file_types_exposed': ['SSH authorized_keys',
'Configuration files'],
'sensitivity_of_data': 'High (SSH keys, system access)',
'type_of_data_compromised': 'SSH credentials, filesystem '
'access'},
'date_detected': '2026-02-10',
'date_publicly_disclosed': '2026-07-08',
'description': 'A newly identified vulnerability, dubbed *GhostApproval*, has '
'revealed a systemic security flaw in six widely used AI '
'coding assistants (Amazon Q Developer, Anthropic Claude Code, '
'Augment, Cursor, Google Antigravity, and Windsurf) allowing '
'attackers to bypass human-in-the-loop (HITL) safety controls '
"and potentially achieve remote code execution on developers' "
'machines. The exploit leverages symbolic link following '
"(CWE-61) to write malicious SSH keys to victims' "
'authorized_keys files, granting persistent access. The '
'vulnerability is exacerbated by UI misrepresentation '
"(CWE-451), where agents' internal reasoning differs from "
'user-facing prompts.',
'impact': {'brand_reputation_impact': 'Moderate to high (public disclosure of '
'systemic flaw)',
'data_compromised': 'SSH credentials, sensitive filesystem access',
'identity_theft_risk': 'High (SSH key compromise)',
'operational_impact': 'Potential remote code execution, '
'unauthorized system access',
'systems_affected': "Developers' machines, AI coding assistants "
'(Amazon Q Developer, Anthropic Claude Code, '
'Augment, Cursor, Google Antigravity, '
'Windsurf)'},
'initial_access_broker': {'backdoors_established': 'SSH authorized_keys '
'modification',
'entry_point': 'Malicious repository with symbolic '
'links',
'high_value_targets': 'Developers using AI coding '
'assistants'},
'investigation_status': 'Publicly disclosed; patches available for some '
'vendors',
'lessons_learned': 'Human-in-the-loop (HITL) controls in AI coding assistants '
'can be systematically bypassed due to design gaps like '
'symbolic link following and UI misrepresentation. The '
'integrity of these controls must be treated as a '
'first-class security requirement.',
'post_incident_analysis': {'corrective_actions': ['Patches to resolve '
'symlinks and warn users '
'(AWS, Cursor, Google, '
'Anthropic)',
'Vendor acknowledgment and '
'partial fixes (Augment, '
'Windsurf)',
'Industry-wide review of '
'HITL control integrity'],
'root_causes': ['Symbolic link following (CWE-61) '
'in AI coding assistants',
'UI misrepresentation (CWE-451) '
'where internal reasoning differs '
'from user-facing prompts',
'Pre-authorization file writes '
"(e.g., Windsurf's 'undo' "
'mechanism)']},
'recommendations': ['Resolve symlinks before displaying prompts to show '
'canonical target paths',
'Warn explicitly when resolved paths exit the workspace '
'(e.g., writes to ~/.ssh/authorized_keys)',
'Ensure confirmation dialogs act as security gates, not '
'undo mechanisms (no pre-authorization writes)'],
'references': [{'source': 'Wiz Research'}],
'response': {'communication_strategy': 'Coordinated disclosure with 90+ day '
'window; public disclosure on July 8, '
'2026',
'containment_measures': 'Patches released by AWS, Cursor, '
'Google, and Anthropic; symlink '
'resolution and explicit warnings for '
'sensitive paths',
'remediation_measures': ['Resolve symlinks before displaying '
'prompts',
'Warn explicitly when resolved paths '
'exit the workspace',
'Never write to disk before explicit '
'user authorization'],
'third_party_assistance': 'Wiz researchers'},
'title': 'GhostApproval Vulnerability Exposes Critical Flaw in Major AI '
'Coding Assistants',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'Symbolic link following (CWE-61), UI '
'misrepresentation (CWE-451)'}