GhostApproval Flaw Hits Six Major AI Coding Assistants

Written by

Six major AI coding assistants have been found to share a flaw that turns their approval prompts into a rubber stamp, letting a malicious repository write to sensitive files on a developer's machine and, in the worst case, achieve remote code execution.

Wiz Research named the flaw GhostApproval and found it in Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity and Windsurf.

The technique relies on symbolic links, or symlinks, which make one file path secretly resolve to another.

One Trusted Approval, One Hidden Target

In a proof of concept (PoC) published on July 7, Wiz showed how a symlink inside a repository, disguised as an innocent file such as project_settings.json could actually point at the developer's SSH keys.

When the developer asked the assistant to "set up the workspace" or follow the README, the agent followed the link and wrote an attacker-supplied key into the real target, handing over passwordless remote access.

Wiz said the design effectively bypasses informed consent: in several tools, the agent resolved the file to a sensitive location, yet the approval dialog showed only the harmless filename, so a developer approved an edit they could not actually see.

Read more on hijacking AI coding agents: New "Agentjacking" Attacks Could Hijack AI Coding Agents

Fixed, Silent or Disputed

In early 2026, Wiz said it reported GhostApproval to all six vendors. 

Amazon, Google and Cursor treated it as a vulnerability and shipped fixes. Cursor issued CVE-2026-50549 to the the flaw.

Augment and Windsurf acknowledged the reports but, as of publication, had gone quiet without a fix, leaving their users potentially exposed.

Anthropic disputed that Claude Code's behavior was a vulnerability. It argued that a user who trusts a directory and approves an edit owns that decision, putting the scenario "outside our threat model."

Wiz framed GhostApproval less as isolated bugs than as a design question the industry has yet to settle: whether an AI coding tool should shield users from a deceptive workspace, or leave that to their judgment.

Its advice to vendors was to resolve symlinks before asking for approval and to flag any write that lands outside the project. 

Developers using Augment or Windsurf, meanwhile, should watch for updates.

What’s Hot on Infosecurity Magazine?