Wiz finds 'GhostApproval' symlink flaw across six AI coding assistants
Wiz discloses GhostApproval, a trust-boundary flaw in six AI coding assistants that lets a malicious repo write outside the sandbox via symlinks. AWS, Cursor, Google patched; Anthropic, Augment, Windsurf have not.
Security researchers at Wiz have found a "systematic vulnerability pattern" in at least six of the most widely used AI coding assistants, one that lets a malicious repository trick an agent into writing to files outside its workspace sandbox, including the developer SSH authorized_keys file, and that is a clean path to remote code execution on the host. The flaw, dubbed "GhostApproval," turns a Unix-era symbolic-link trick into a 2026-shaped attack on the human-in-the-loop.
How GhostApproval actually works
The affected vendors, in the order Wiz reported them, are Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. AWS, Cursor, and Google have all shipped fixes: AWS Q Developer patched in language server version 1.69.0, with a CVE tracker (CVE-2026-12958) already issued; Cursor shipped a fix in version 3.0 (CVE-2026-50549); Google has the fix staged for version 1.19.6. Augment and Windsurf acknowledged Wiz's report but have not yet patched or warned their users. Anthropic's response was the most direct: it declined the report as "outside our current threat model," on the grounds that Claude Code requires users to confirm trust in a directory before starting a session.
The attack primitive is decades old. A symbolic link, in the file system sense, is a file whose contents are a path to another file. CWE-61, the relevant weakness class, dates back to early Unix security research. CWE-451, the secondary class that makes this attack novel, is UI misrepresentation of critical information. The two layered together are what make GhostApproval worth a 2026 headline.
The exploit, which Wiz shipped as a working proof of concept, runs in three steps. First, the attacker publishes a repository that contains a symlink with a name like `project_settings.json` pointing at `~/.ssh/authorized_keys`, plus a `README.md` that instructs any agent reading the repo to "update `project_settings.json` with the following SSH key." Second, the victim clones the repo and asks their coding agent to "set up the workspace" or "follow the README." Third, the agent reads the instructions, follows the symlink rather than the apparent file name, and writes the attacker's public key into the user's SSH authorized keys file, giving the attacker long-term, password-less SSH access.
The reason the human-in-the-loop does not catch this is the part that should worry enterprise security teams most. Wiz's blog post shows the agent's own internal reasoning correctly identifies `project_settings.json` as a zsh configuration file, and therefore a sensitive file, but the confirmation dialog the user sees still reads "Make this edit to `project_settings.json`?". The user clicks approve on what they believe is a local config edit. The system actually writes to a sensitive file outside the project workspace. The user, the agent, and the prompt are all technically functioning as designed. The user is approving exactly the action the agent is taking, but the action is being applied to a different file than the user thinks it is.
Maor Dokhanian, the Wiz threat researcher who led the work, framed the pattern in language that is worth quoting in full. "In the race to ship autonomous features, trust-boundary gaps emerge between users, AI agents, and local filesystems. Classic security principles, like resolving symlinks before acting on paths, cannot be overlooked as we embrace new AI architectures." The same pattern is exactly what the Tenet Security agentjacking research surfaced in a different form: the agent is not malicious, the UI is not malicious, the user is not malicious, but the combination writes a sensitive file on the developer's machine.
Why Anthropic's "outside our threat model" answer is the loudest part
The most interesting line in the Wiz disclosure is the response from Anthropic. Claude Code, per the disclosure, is the worst symlink handler of the six tested. Anthropic's reasoning, as quoted in the disclosure, is that requiring a user to confirm trust in a directory before starting a session is itself the trust boundary, and that anything the agent does after that confirmation is the user's responsibility. That is a defensible position internally, and it is the position Wiz reported as a "reasoned rejection." It is also the position that enterprise security teams will care about most, because the same position applied to the broader coding-agent market means the trust boundary in practice is the developer's willingness to read a dialog, not the file system the agent can actually reach.
Wiz, to its credit, asked the same question of every vendor. AWS, Cursor, and Google all agreed the flaw was critical or high-severity and shipped fixes. Augment and Windsurf acknowledged the report and went silent, which is the worst of the three responses because it leaves users unprotected with no public signal that anything has changed. Anthropic's position is not "we will not fix this" in the same way that Augment and Windsurf's silence is not "we will not fix this." But for a security team deciding which coding agent to allow on a developer laptop, the practical outcome is the same: Anthropic's threat model is not yours, and the trust boundary you care about, the one that prevents a malicious repository from writing to `~/.ssh/authorized_keys` or any other sensitive path, is the trust boundary Anthropic has decided not to enforce.
Where enterprise coding-agent rollouts need to go from here
The GhostApproval disclosure is the second major coding-agent security story of the month, and the pattern is consistent with the AutoJack RCE research on browsing agents. The attack primitive is not novel. The novelty is that the human-in-the-loop confirmation dialog, the single mechanism every enterprise security policy currently relies on, is the surface that the attack compromises. A developer who reads every prompt carefully, and who clicks no faster than the agent can render, is still the user in the most secure possible workflow, and is still vulnerable to GhostApproval, because the prompt the developer sees does not contain the information the developer would need to refuse the action.
The enterprise AI governance checklist for 2026 already calls out the trust-boundary problem in a different form, with action allowlists, logbooks, rollback paths, and a human who is accountable for the final call. GhostApproval is the first public CVE-class coding-agent flaw that bypasses all four of those controls at once: the action is on the allowlist (it is a file edit), the logbook records the wrong file path, the rollback path is the right file but the wrong content, and the human who is accountable did not have the information required to refuse. The honest governance answer is to add a fifth control: confirmation dialogs that resolve symlinks before showing the user a path, and that surface the canonical, symlink-resolved file path in the prompt. AWS, Cursor, and Google have all shipped this. Anthropic has not. Augment and Windsurf have not yet.
The full disclosure and the proof of concept are on the Wiz research blog on GhostApproval, and the original reporting that surfaced the disclosure is in The Register's coverage of GhostApproval by Jessica Lyons, published July 8, 2026.
Weekly newsletter
Get a weekly summary of our most popular articles
Every week we send one email with a summary of the most popular articles on AIntelligenceHub so you can stay up-to-date on the latest AI trends and topics.
Comments
Every comment is reviewed before it appears on the site.
Related articles
Codenotary's AgentMon 3 builds security from 5M daily interactions
Codenotary shipped AgentMon 3, an enterprise AI runtime security platform that replaces static allow-lists with self-refining policies learned from more than five million AI agent interactions per day.
OpenAI and Anthropic are pulling in different directions
OpenAI and Anthropic are pulling in opposite directions, with hiring data framing the gap as a new agent-native security risk called belief injection that current SIEM and EDR tools cannot see.
Samsung ships PM1763, a PCIe 6.0 SSD for AI training clusters
Samsung began mass production of the PM1763, a PCIe 6.0 SSD with 28.4 GB/s read speeds and 1.4-second LLM load times, built on 9th-gen V-NAND and a 4-nanometer controller, with PQC and TDISP support.