News

GhostApproval Flaw in AI Coding Assistants Puts Developers at Risk

Researchers at Wiz uncover a symlink flaw in popular AI coding assistants that could allow attackers to take control of a developer's computer.

A newly discovered vulnerability, dubbed GhostApproval, exploits symbolic links to deceive AI coding assistants into writing to sensitive files. Several major tools are affected, with some vendors issuing fixes while others dispute the findings.

Researchers Uncover GhostApproval Flaw in AI Coding Assistants

Researchers at Wiz have identified a critical vulnerability in six popular AI coding assistants that could allow attackers to take control of a developer's computer. The flaw, named GhostApproval, exploits an old Unix feature called a symbolic link (symlink) that these assistants fail to properly validate. The affected tools include Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf.

How the Attack Works

The attack involves a malicious repository containing a symlink that points to a sensitive file, such as the victim's SSH login file (~/.ssh/authorized_keys) or shell startup file (~/.zshrc). When the AI assistant is instructed to edit a seemingly harmless file, it instead writes to the sensitive target file, allowing the attacker to gain unauthorized access.

For example, a malicious repository might contain a symlink named project_settings.json that actually points to ~/.ssh/authorized_keys. If the AI assistant is asked to add a line to project_settings.json, it writes the attacker's SSH key to the login file, enabling remote access without a password.

Affected Tools and Responses

Wiz reported the issue to all six vendors, with varying responses:

  • Amazon Q Developer: Fixed in Language Server 1.69.0 (CVE-2026-12958). Users are advised to update.
  • Cursor: Fixed in v3.0 (CVE-2026-50549). Users should update via the extension manager.
  • Google Antigravity: Fixed (CVE pending). Users are advised to update to the latest version.
  • Augment: Acknowledged the issue but has not yet released a fix. Users are advised to avoid pointing the tool at untrusted repositories.
  • Windsurf: Acknowledged the issue but has not yet released a fix. Users are advised to avoid pointing the tool at untrusted repositories.
  • Anthropic Claude Code: Disputes the classification, claiming the scenario falls outside its threat model. Users are advised to update and review symlink warnings before accepting edits.

Mitigation and Recommendations

To mitigate the risk, developers are advised to:

  • Run AI assistants with limited file access or inside a sandbox/container.
  • Review repository files, especially hidden config files, before allowing an AI assistant to set them up.
  • Check sensitive files like shell startup files and SSH keys for unauthorized changes after working in unfamiliar repositories.

Wiz recommends that toolmakers resolve symlinks before requesting approval, flag writes outside the project folder, and ensure no file modifications occur until the user explicitly approves them.

Broader Implications

The GhostApproval flaw highlights a shared design weakness in AI coding assistants, as they follow symlinks using ordinary file operations without verifying the actual write destination. This pattern has already been observed in the wild, with malicious repositories exploiting similar vulnerabilities to compromise developer environments.

As AI assistants become more integrated into development workflows, ensuring transparency and accuracy in approval processes will be critical to maintaining security.