Security researchers at Wiz have disclosed GhostApproval, a vulnerability pattern affecting several major AI coding assistants and exposing a trust-boundary problem between developers, AI agents, and the local filesystem.
The issue affects six widely used AI coding tools: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Wiz described GhostApproval as a category-level blind spot in how agentic coding tools handle symbolic links, or symlinks.
At the center of the flaw is a classic Unix-era security problem. A malicious repository can include a file that appears to be a normal project file, but is actually a symlink pointing outside the workspace. When an AI coding assistant is asked to follow project instructions, it may write to the visible project filename while the operating system resolves the write to the real target outside the workspace.
In Wiz’s example, a harmless-looking config file could point to a sensitive local file such as SSH authorized_keys. If the agent writes an attacker-controlled key to that target, the attacker could gain persistent passwordless access to the developer’s machine.
The deeper issue is not only that symlinks were followed. Wiz found that in several cases, the agent or tool recognized the dangerous target internally, but the approval prompt shown to the user did not reveal the real destination. As The Register noted, the user might approve what looks like a normal local edit while the agent writes to a sensitive file outside the project workspace.
That turns “human-in-the-loop” approval into a weak control. If the user is not shown the real path or security impact, the approval prompt becomes more of a rubber stamp than informed consent.
Vendor responses varied. Wiz said AWS, Cursor, and Google fixed the issue, with AWS assigning CVE-2026-12958 for Amazon Q Developer and Cursor assigning CVE-2026-50549. Google fixed the issue in Antigravity and was still assessing CVE issuance at the time of disclosure.
Anthropic disputed the initial report as outside its threat model, arguing that the user had already trusted the directory and approved the file operation. However, current Claude Code versions now include symlink warnings before writing to sensitive files. According to The Register, Anthropic later said that warning shipped before Wiz submitted the report and was part of proactive hardening.
Wiz listed Augment and Windsurf as still in progress at the time of publication. The Register also reported that there was no indication GhostApproval had been actively exploited in the wild, but the potential impact remains serious because AI coding tools often run with access to source code, credentials, local files, and cloud-connected development environments.
For developers and security teams, the takeaway is straightforward: AI coding agents should not be treated as harmless autocomplete. They can read, write, execute, and modify files under the user’s privileges. That makes workspace trust, filesystem boundaries, and approval prompts security-critical controls.
Organizations using AI coding assistants should update affected tools, avoid running agents against untrusted repositories, monitor for unexpected writes to sensitive files, and ensure approval prompts show resolved paths, not just the apparent project filename. A prompt that hides the real target is not meaningful consent.