Back to Feed
VulnerabilitiesJul 9, 2026

GhostApproval Flaws Let Top AI Coding Tools Write Outside Workspaces

GhostApproval symlink flaws in AI coding assistants allow sensitive file access and system compromise.

Summary

Wiz researchers discovered GhostApproval vulnerabilities in several AI coding assistants, including tools from Amazon, Anthropic, and Google. These flaws leverage symbolic links to allow malicious code repositories to trick the AI into writing sensitive files outside their designated workspaces, potentially leading to unauthorized system access. Some tools exhibited more severe issues where file changes occurred before user approval.

Full text

Security Artificial IntelligenceGhostApproval Flaws Let Top AI Coding Tools Write Outside Workspaces Wiz found GhostApproval symlink flaws in major AI coding assistants that could hide sensitive file targets, bypass approval checks and enable system access too. byWaqasJuly 9, 20263 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening A malicious code repository can abuse symbolic links to push several popular AI coding assistants beyond their approved workspace, according to new research from Wiz. The vulnerability pattern, named GhostApproval, affected tools from Amazon, Anthropic, Augment, Cursor, Google, Windsurf, and Cognition, with outcomes including misleading approval prompts to file changes made before users could respond. Wiz researchers found that by using symbolic links, commonly known as symlinks, attackers could disguise repositories’ sensitive system files as ordinary project files. When an AI assistant followed the link, an edit presented as a change to a local configuration file could reach files such as ~/.ssh/authorized_keys or ~/.zshrc outside the project directory. In one proof of concept, a repository included a file named project_settings.json that pointed to the developer’s SSH authorization file. Instructions in the repository asked the coding assistant to add configuration data, but the supplied content was an attacker-controlled SSH public key. A successful write could give the attacker persistent password-free access to the machine. According to Wiz research shared with Hackread.com, the approval step was meant to give the person using the coding assistant a final chance to review file changes. Still, researchers found that the prompts did not always show enough information. During testing of Anthropic’s Claude Code, internal reasoning recognized that a project file pointed to a sensitive location, while the visible prompt referred only to the local filename. A user could approve an edit without seeing where the data would actually be written. That mismatch adds a user-interface problem to the underlying symlink weakness. Wiz classified the file-handling flaw under CWE-61 and linked the misleading approval behavior to CWE-451, which covers the misrepresentation of important information in a user interface. Some products exhibited more severe failures because file changes occurred before approval. Tests involving Amazon Q Developer (Coding Assistant) and Windsurf found that content could be written to disk before users clicked an approval button. In those cases, controls presented as confirmation worked more like a way to reverse a change that had already happened. Understanding the vulnerabilities (Source: Hackread.com) Patches Arriving Amazon Amazon fixed the issue in AWS Language Server version 1.69.0 and assigned CVE-2026-12958. AWS said the language server normally updates automatically, while users on networks that block automatic updates may need to install the latest Amazon Q Developer plugin and reload their development environment. Cursor Cursor addressed its vulnerability in version 3.0 under CVE-2026-50549. Its interface displayed the project-side symlink name in the proposed diff, but accepting the change caused the backend to write to the resolved destination outside the workspace. Google Google also corrected the flaw in Antigravity after researchers demonstrated an SSH-key write through a disguised project file. The affected version was listed as 1.19.6, and the CVE assignment remained pending at the time of disclosure. Augment Augment allowed both reads and writes through symbolic links without a confirmation prompt during Wiz testing. Researchers used the read behavior to access a credential file outside the project and demonstrated writes to SSH and shell configuration files. Augment acknowledged the reports and said it would provide an update, but no fix information had been published when the research was released. Windsurf Windsurf showed similar pre-approval behavior during tests on version 1.9566. The assistant wrote an attacker-controlled SSH key before Accept and Reject controls appeared, meaning the requested action had already reached the filesystem when the developer was asked to review it. Cognition acknowledged receiving the report in June but had not published a remediation update by disclosure. Anthropic Anthropic initially closed the report as outside the Claude Code threat model, arguing that users had already chosen to trust the repository and later approved the requested operation. Current Claude Code releases resolve symbolic links and warn before writes to sensitive locations. Anthropic later said the warning had shipped in version 2.1.32 on February 5, nine days before the Wiz report was submitted, following an internal security review. Wiz recommends resolving symbolic links before generating permission prompts and displaying the final canonical path whenever an operation leaves the workspace. Coding assistants should also block file changes until explicit approval has been received, keeping confirmation controls as authorization gates and not post-write recovery options. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts AIAmazonAnthropicAugmentCognitionCursorCybersecurityGhostApprovalGooglePrivacyWindsurf Leave a Reply Cancel reply View Comments (0) Related Posts Read More Leaks Privacy Security Marketing firm CallX exposed customers data including call recordings CallX was using an unsecured Amazon Web Services S3 bucket to store audio client files. byHabiba Rashid Read More Security Hacking Email Account is A Piece of Cake with This Social Engineering Trick Phishing attacks have become a common norm now but lately, a different kind of social engineering hack has… byWaqas Read More Cyber Attacks Cyber Events Security Cyber Attacks Threatening Oil and Gas Sector Severely Now Than Ever Before It is being reported that the oil and gas sectors have suddenly become more vulnerable to cyber threats.… byRyan De Souza Read More Security Fitness firm V Shred exposes 606 GB worth of sensitive customer data V Shred was launched in 2016. byWaqas

Indicators of Compromise

  • cve — CVE-2026-12958
  • cve — CVE-2026-50549

Entities

Amazon Q Developer (product)Claude Code (product)Cursor (product)Antigravity (product)Windsurf (product)Amazon (vendor)