GhostApproval: Symlink Trust Gap in AI Coding Assistants

Authors: Cloud Security Alliance AI Safety Initiative
Published: 2026-07-12

Categories: Application Security
Download PDF

Key Takeaways

Security researchers at Wiz disclosed a vulnerability pattern on July 8, 2026, called GhostApproval, affecting six widely used AI coding assistants: Amazon Q Developer, Anthropic’s Claude Code, Augment, Cursor, Google Antigravity, and Windsurf [1][2]. The flaw combines a decades-old Unix mechanism, symbolic link (symlink) following, with a newer failure mode specific to AI agents: confirmation dialogs that describe an edit differently than the action the agent is about to perform. An attacker who gets a developer to open a booby-trapped repository and ask the assistant to “set up the workspace” can cause the agent to write attacker-controlled content through a symlink into sensitive locations such as ~/.ssh/authorized_keys, potentially granting the attacker passwordless remote access to the developer’s machine [3][4]. Three vendors, Amazon Web Services, Cursor, and Google, shipped fixes before the July 8 disclosure, though only Amazon Q Developer and Cursor had CVE identifiers assigned at that time, with Google’s CVE still pending; Augment and Windsurf acknowledged the reports but had not shipped fixes as of publication; and Anthropic disputed the classification, arguing the scenario falls outside its threat model because the developer chose to trust the folder and approved the resulting edit [3][5]. For CSA members deploying AI coding assistants across engineering organizations, GhostApproval is a reminder that human-in-the-loop approval is only a meaningful control when the information shown to the human accurately reflects what the system is about to do.

Background

AI coding assistants increasingly operate with direct filesystem access inside a developer’s workspace, reading source files, writing new ones, and executing commands on the assistant’s own initiative once a session begins. To keep this autonomy in check, most vendors in this category layer a human-in-the-loop control on top of the agent’s file operations, and all six assistants examined in the GhostApproval research do so in some form: before the assistant writes to a file outside an explicitly pre-approved set, it presents the developer with a confirmation dialog describing the proposed change and waits for approval. This pattern is the primary safeguard that lets vendors market these tools as safe to run against untrusted or partially untrusted codebases, including open-source repositories cloned from the internet, forked pull requests, and take-home coding assignments.

The security assumption underlying that safeguard is that the dialog accurately represents the action being authorized. Wiz’s research, published as the GhostApproval report on July 8, 2026, tested that assumption directly by asking a simple question: what happens when the file the agent is about to write is not really the file the dialog names, because the filename resolves through a symbolic link to somewhere else entirely? Symlinks have been a known avenue for security boundary bypass since the earliest multi-user Unix systems, cataloged today as CWE-61, Symlink Following, precisely because a program that checks permissions or displays a path before resolving the link can be tricked into believing it is operating in one location while the underlying filesystem call lands in another [6]. Wiz found that this decades-old class of bug had quietly reappeared inside the newest generation of developer tooling, and documented multiple cases, including Claude Code and Augment, in which the agent’s own internal reasoning had already identified the dangerous target before the user ever saw the approval prompt.

Security Analysis

Wiz constructed a minimal proof-of-concept repository containing a file named project_settings.json that was not a regular file at all but a symlink pointing to the victim’s SSH authorized-keys file at ~/.ssh/authorized_keys. The repository’s README instructed a developer, in ordinary onboarding language, to “add a line” to project_settings.json as part of setting up the project. When a developer opened the repository in an AI coding assistant and asked it to follow the README or set up the workspace, the agent read the instruction, resolved the filename, and wrote the attacker’s SSH public key straight through the symlink into the authorized-keys file, all while presenting the developer with an approval dialog that displayed only the harmless-looking filename project_settings.json [3][4]. Once the key was in place, an attacker with network reach to the victim’s SSH service could log in without a password, converting a single approved-looking edit into full remote code execution.

The research frames the flaw as two distinct weaknesses stacked on top of each other. The first, CWE-61, is the well-understood symlink-following bug: the assistant resolves the write target without checking whether the resolved path leaves the workspace boundary the user believes they are operating within. CSA’s assessment is that the second weakness, classified as CWE-451, UI misrepresentation of critical information, is what elevates GhostApproval above a routine filesystem bug. In the Claude Code case that Wiz documents in detail, the model’s own internal reasoning trace explicitly identified the target as a zsh configuration file outside the workspace, stating “I can see that project_settings.json is actually a zsh configuration file,” correctly recognizing the danger, yet the confirmation prompt shown to the developer asked only “Make this edit to project_settings.json?” with no indication that the real target lay outside the workspace [3]. Wiz documents the same pattern in Augment, where the agent’s reasoning likewise recognized the file as a zsh configuration file before writing to it, this time with no confirmation step presented to the user at all. In both cases, the agent effectively knew more than it told the user, and the approval mechanism captured a decision the user could not actually make on informed terms.

The severity and mechanics varied by vendor. Augment’s implementation exhibited the broadest exposure among the six in one respect: Wiz found it would both silently read files through symlinks, exfiltrating credentials without any prompt, and write through them without any consent mechanism at all. Windsurf exhibited what Wiz terms a pre-authorization write pattern, in which the filesystem write completed before the accept-or-reject buttons were even rendered to the user, making the subsequent dialog cosmetic rather than gating. Amazon Q Developer showed a related timing flaw in which writes occurred before an undo option was surfaced. Cursor’s backend followed symlinks despite its diff view technically displaying the resolved path, an implementation gap between what the interface showed and what the write logic checked. Table 1 summarizes vendor status as reported by Wiz and corroborated by follow-on coverage from The Hacker News, SecurityWeek, and The Register [1][3][7].

Vendor / Product Reported Flaw Pattern Status as of July 8, 2026 CVE
Amazon Q Developer Pre-authorization write before undo option shown Fixed, language server v1.69.0 CVE-2026-12958
Cursor Backend followed symlinks despite diff UI showing resolved path Fixed, v3.0 CVE-2026-50549
Google Antigravity Symlink following into sensitive paths Fixed Pending
Anthropic Claude Code Internal reasoning identified symlink target; dialog concealed it Disputed as out of threat model; symlink warning shipped in February as routine hardening None assigned
Augment Silent symlinked reads (credential exfiltration) and writes with no consent step Acknowledged, unpatched at disclosure None assigned
Windsurf Write completed before accept/reject buttons rendered Acknowledged, unpatched at disclosure None assigned

Anthropic’s public position is worth examining on its own terms because it surfaces a genuine, unresolved question about where the boundary of an AI coding assistant’s threat model should sit. Anthropic told Wiz that a developer who opens a repository and approves an edit has, in effect, extended trust to that folder and to the action being taken, and that a tool respecting an explicit user approval is not thereby vulnerable [3][5]. The counterargument — one CSA finds persuasive, and consistent with Wiz’s CWE-451 classification — is that approval obtained through a misleading prompt is not meaningful consent at all: a developer who is shown project_settings.json has not approved a write to ~/.ssh/authorized_keys, because they were never told that was the operation being authorized. This is not a narrow disagreement about one vulnerability; it is a disagreement about what human-in-the-loop review is supposed to guarantee in agentic systems generally, and it will likely recur as more classes of “the agent showed X but did Y” bugs are found in other tools.

Recommendations

Immediate Actions

Security teams operating environments where developers run AI coding assistants against externally sourced repositories, including open-source dependencies, contractor code drops, and unvetted pull requests, should treat those repositories as untrusted input capable of directing file writes outside the visible workspace until each assistant in use has been confirmed patched. Organizations running Amazon Q Developer, Cursor, or Google Antigravity should verify they are on the patched versions referenced in Table 1 (language server v1.69.0 or later for Amazon Q, v3.0 or later for Cursor) rather than assuming automatic update channels have already applied the fix. Organizations running Augment or Windsurf, where no patch existed as of the July 8 disclosure, should restrict those tools from being pointed at untrusted repositories until a fix ships, and should consider disabling automatic file-write approval workflows in favor of manual review of the assistant’s full file-operation log rather than its summarized confirmation prompt.

Short-Term Mitigations

Because the underlying weakness is a mismatch between what an agent’s confirmation dialog displays and what its filesystem call actually targets, defenders cannot fully close this gap through configuration alone and should pair vendor patches with workspace-level containment. Running AI coding assistants inside a container, sandboxed virtual machine, or restricted filesystem namespace limits the blast radius of a symlink-based escape even if a future variant of GhostApproval surfaces in a tool not covered by this disclosure. Security teams should also audit whether any assistant deployed in their environment permits filesystem writes to complete before an approval decision is rendered, a pattern Wiz documented in both Windsurf and Amazon Q Developer’s pre-fix behavior, since that timing flaw defeats the human-in-the-loop control regardless of what the dialog eventually displays.

Strategic Considerations

GhostApproval should prompt security and engineering leadership to reconsider what evidentiary standard they hold AI agent tooling to before treating an approval prompt as a security boundary. A confirmation dialog is only as trustworthy as the fidelity between what it shows and what the underlying system call does, and CWE-451-class flaws mean that fidelity cannot be assumed just because a vendor advertises a human-in-the-loop model. Organizations procuring or building agentic developer tools should ask vendors directly whether their approval UI resolves symlinks, junction points, and other indirect filesystem references before rendering a confirmation prompt, and whether writes are gated strictly behind that confirmation rather than being reversible only after the fact. The Anthropic dispute also illustrates a governance gap worth tracking: vendors currently define their own threat models unilaterally, and a flaw one vendor patches as a vulnerability, another may formally decline to classify as one, leaving customers to reconcile inconsistent vendor risk postures on their own.

CSA Resource Alignment

GhostApproval sits squarely at the intersection of two problems CSA has already published structured guidance on: testing agentic AI systems for exactly this class of failure, and governing how much autonomous trust an AI agent should be granted before its actions are gated behind human approval. CSA’s Agentic AI Red Teaming Guide catalogs “Checker-Out-of-the-Loop” failures as one of its twelve core threat categories for autonomous agents, describing precisely the scenario Wiz documented: a control that is nominally present but that an attacker, or in this case a misleading UI, can render non-functional without the human reviewer realizing their oversight has been bypassed [8]. Security teams evaluating AI coding assistants should use that guide’s testing procedures to probe whether a given tool’s approval dialogs can be induced to misrepresent a write target, rather than relying on vendor claims that a human-in-the-loop step exists.

The Agentic Trust Framework (ATF), now stewarded by the CSAI Foundation following its April 2026 acquisition, offers a directly applicable governance lens for the Anthropic dispute over threat-model boundaries [9][10]. ATF’s four-level maturity model, Intern, Junior, Senior, and Principal, ties an agent’s permitted autonomy to how much oversight its actions receive, with the “Junior” tier defined explicitly as recommend-and-approve: an agent proposes an action and a human must approve it before it executes. GhostApproval demonstrates that a recommend-and-approve control only satisfies that tier’s intent if the recommendation shown to the human is accurate; a tool whose internal reasoning identifies a dangerous symlink target but whose dialog conceals it has not actually implemented Junior-tier oversight, regardless of what the vendor calls the feature. Organizations assessing AI coding assistants against ATF’s maturity model should treat approval-dialog fidelity as a prerequisite for crediting any tool with recommend-and-approve status.

Finally, CSA’s AI Controls Matrix (AICM) v1.1 provides the broader controls baseline against which organizations should evaluate AI coding assistant deployments, particularly its Application and Interface Security and Threat and Vulnerability Management domains, which map directly onto the need to validate that an agentic tool’s stated controls, including its file-write approval workflow, function as represented rather than merely as documented [11].

References

[1] The Hacker News. “GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents.” The Hacker News, July 2026.

[2] Infosecurity Magazine. “GhostApproval Flaw Hits Six Major AI Coding Assistants.” Infosecurity Magazine, July 2026.

[3] Wiz. “GhostApproval: A Trust Boundary Gap in AI Coding Assistants.” Wiz Blog, July 8, 2026.

[4] Cyber Security News. “New GhostApproval Vulnerability Affects Amazon Q, Claude Code, Cursor, and Other AI Agents.” Cyber Security News, July 2026.

[5] SecurityWeek. “AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique.” SecurityWeek, July 2026.

[6] MITRE. “CWE-61: UNIX Symbolic Link (Symlink) Following.” Common Weakness Enumeration, MITRE Corporation.

[7] The Register. “Bug in Top AI Coding Agents Shows That Unix-Era Security Headaches Never Really Die.” The Register, July 8, 2026.

[8] Cloud Security Alliance. “Agentic AI Red Teaming Guide.” Cloud Security Alliance, May 2025.

[9] Cloud Security Alliance. “CSAI Foundation Announces Key Milestones to Secure the Agentic Control Plane.” Cloud Security Alliance, April 29, 2026.

[10] Agentic Trust Framework. “Agentic Trust Framework (ATF).” Agentic Trust Framework, accessed July 2026.

[11] Cloud Security Alliance. “AI Controls Matrix (AICM) v1.1.” Cloud Security Alliance.

← Back to Research Index