
GhostApproval: How symlink flaws in AI coding assistants threaten developer machines and what builders should do now
Published by AINave Editorial • Reviewed by Ramit
Wiz researchers discovered a category-level vulnerability called GhostApproval in six popular AI coding assistants that can give attackers remote control of a developer's machine through symbolic links. The flaw affects Amazon Q Developer, Claude Code, Cursor, Windsurf, and Google Antigravity, with some vendors rating it critical or high-severity. For AI builders and development teams, this highlights a fundamental trust boundary problem: AI agents can write to the filesystem before user confirmation, enabling silent sandbox escapes.
What happened
GhostApproval exploits a decades-old Unix primitive: symbolic links. According to Wiz, malicious repositories can trick AI agents into following symlinks that point outside the workspace sandbox, leading to remote code execution (RCE) and persistent access to the developer's machine. In the case of Amazon Q Developer, the agent wrote to the filesystem before presenting the user with an Undo option, even though it correctly identified the symlink in its internal reasoning. Amazon fixed this as CVE-2026-12958 in language server version 1.69.0, which updates automatically unless network configuration prevents it.
Claude Code provided a clear example of UI misrepresentation: the agent recognized the dangerous symlink in its thinking but presented a prompt asking simply "Make this edit to project settings.json?" Anthropic rejected the threat, arguing the user explicitly trusted the directory, but later added a warning in version 2.1.173+ which now resolves symlinks. Cursor's diff UI showed the symlink path, but the backend followed it on Accept; fixed in version 3.0 with CVE-2026-50549. Google's Antigravity displayed the symlink path in its permission dialog rather than the resolved canonical path, allowing Wiz to write an attacker's SSH key via a symlink disguised as project_settings.json. Google has fixed the problem.
Windsurf presented the most dangerous variant: the agent writes file modifications directly to disk before the Accept/Reject buttons appear. The confirmation dialog is an undo mechanism, not an authorization gate. By the time users see the prompt, an attacker's SSH key was already placed in the authorized_keys file.
Why AI builders should care
GhostApproval is not just a set of individual bugs. It's a symptom of a broader challenge: building AI systems that are both powerful and trustworthy. For teams shipping AI-powered coding tools or integrating AI agents into development workflows, the trust boundary between the agent and the user's machine is critical. If an AI agent can write to disk before user confirmation, the human-in-the-loop is effectively broken. This matters for any product that uses AI to modify files, run commands, or access sensitive resources.
Organizations rolling out AI agents en masse need to ensure that confirmation prompts are genuine authorization gates, not undo mechanisms. The Wiz researchers emphasized that getting the human-in-the-loop right, truly right, not just formally present, is essential.
Practical implications
Development teams should immediately check if they use any of the affected tools and apply the latest updates. For Amazon Q Developer, ensure the language server is version 1.69.0 or later; auto-update should handle this unless blocked by network configuration. For Cursor, upgrade to version 3.0. For Claude Code, use version 2.1.173 or later. For Google Antigravity and Windsurf, apply vendor-provided fixes.
Beyond patching, teams should review their sandbox and permission workflows. Consider restricting symbolic link usage in development environments, monitoring for unexpected filesystem writes, and auditing AI agent actions. Incident response plans should include scenarios where AI tooling is used to manipulate SSH keys or other sensitive files.
Caveats
There is no public evidence that GhostApproval has been exploited in the wild at the time of reporting. The findings are based on Wiz researchers' demonstrations and may evolve with future tool versions. Vendor responses varied: Amazon, Cursor, and Google rated it critical or high-severity and fixed it; Anthropic initially rejected the threat but later added warnings. The exposure and mitigations may differ depending on IDE plugin versions and network configurations.





















