Wiz disclosed GhostApproval on July 8, 2026, a symlink-based vulnerability pattern letting malicious code repositories trick 6 AI coding assistants into writing files outside their sandbox. Three vendors have shipped fixes, two remain silent, and Anthropic rejected the finding as outside its threat model.
Quick Summary – TLDR:
- Wiz identified GhostApproval, a flaw combining symlink following (CWE-61) with UI misrepresentation (CWE-451) across 6 AI coding assistants, according to Wiz.
- AWS, Cursor, and Google fixed the issue promptly, while two other vendors acknowledged the report and went silent.
- Anthropic’s Claude Code internally recognized the dangerous target, yet its confirmation prompt named only the harmless filename.
- AWS patched the Amazon Q Developer language server in version 1.69.0 and assigned CVE-2026-12958 to track the fix, per Cyberpress.
- In May 2026, Adversa AI’s SymJack research found the same symlink-approval pattern across six coding agents.
What Happened?
GhostApproval is a vulnerability pattern affecting 6 of the top AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. In each case, a malicious repository can trick the agent into accessing arbitrary files outside the workspace sandbox, potentially achieving remote code execution on the developer’s machine.
The bug class sits inside a well-known Unix weakness. A workspace file that looks like a harmless settings file is actually a symbolic link pointing somewhere else entirely, and CWE-61, a well-documented attack primitive, dates back decades.
Wiz reported the findings to all 6 vendors: AWS, Cursor, and Google fixed the issue promptly, two vendors acknowledged receipt but went silent, and Anthropic gave a reasoned rejection.
🚨 GhostApproval </>
— The Hacker News (@TheHackersNews) July 9, 2026
A malicious repo can trick AI coding assistants into reading or writing files outside the workspace.
Wiz says symlink flaws affected Amazon Q Developer, #Claude Code, Augment, Cursor, #Google Antigravity, and Windsurf.
Learn how this attack works on THN 🠖… pic.twitter.com/V9tgTubPDR
How the Approval Prompt Lied?
Anthropic’s Claude Code supplies the clearest example of the gap GhostApproval exposes. That gap is CWE-451, UI misrepresentation of critical information, layered on top of the symlink vulnerability, and Wiz’s testing caught it happening inside the agent’s own reasoning before the user ever saw a prompt.
The agent’s internal reasoning stated: I can see that `project_settings.json` is actually a zsh configuration file. The prompt shown to the developer, however, simply asked: Make this edit to `project_settings.json?`
The user approves what they believe is a harmless local edit while the agent writes to a sensitive file outside of the project workspace. When Wiz reported the Claude Code case, Anthropic pushed back: This falls outside our current threat model.
Anthropic argued that users implicitly accept risk once they trust a directory and approve a permission prompt inside it. The company later confirmed that Claude Code versions 2.1.32 and later, which shipped before the report was even filed, include symlink warnings as part of proactive security hardening, though it stopped short of crediting the disclosure for the change.
Vendor Responses Split Three Ways
Six vendors received the disclosure; three fixed the flaw, two acknowledged it without shipping a fix, and one rejected the classification. The split also breaks along a second, more consequential line: some tools merely mislabeled the target file, while Windsurf wrote file modifications directly to disk before the Accept/Reject buttons even appeared, and Augment performed both symlink reads and writes with no user confirmation whatsoever.
| Vendor | Product | Status | CVE |
|---|---|---|---|
| AWS | Amazon Q Developer | Fixed (language server 1.69.0) | CVE-2026-12958 |
| Cursor | Cursor | Fixed (v3.0) | CVE-2026-50549 |
| Antigravity | Fixed (v1.19.6) | Pending | |
| Augment | Augment | Acknowledged, no fix shipped | none assigned |
| Windsurf | Windsurf | Acknowledged, no fix shipped | none assigned |
| Anthropic | Claude Code | Rejected as outside threat model | none assigned |
AWS patched the Amazon Q Developer language server in version 1.69.0 and assigned CVE-2026-12958 to the fix, while Cursor addressed the flaw in version 3.0 and issued CVE-2026-50549. Google patched Antigravity in version 1.19.6 and is still assessing whether to issue a formal CVE.
The design gap is not confined to one vendor’s oversight. In May 2026, Adversa AI published SymJack, the same symlink-and-approval pattern against six coding agents, including Claude Code, Cursor, GitHub Copilot, and Grok Build. Two independent teams landing on the same pattern points to a shared design weakness: these agents follow a symlink using ordinary file operations, then ask for approval based on the path they were handed, not the path the write lands on.
What’s Next?
Developers running any of the affected tools should update to the patched builds. Until Augment and Windsurf ship fixes, Wiz’s guidance for running the agent with limited file access, working inside a sandbox or container, and reviewing a repository’s README and hidden config files before letting it set up the workspace helps reduce the risk of a silent write to SSH keys or shell startup files. It does not eliminate it.
Expect Google to formalize its pending CVE, and expect scrutiny of Anthropic’s threat-model stance to continue given that its own fix shipped weeks before this report landed.
SQ Magazine’s Takeaway
GhostApproval is less a single bug than a demonstration that “human in the loop” only works when the loop is shown the truth. In several tests, the agent’s own reasoning identified the real, dangerous file target and then displayed a prompt naming the harmless one instead. That is not a sandbox failure a patch quietly closes; it is a consent mechanism that was never showing users what they were actually approving, and the 3 vendors that fixed it treated it as exactly that.
Anthropic’s rejection is coherent as a liability argument: a user who trusts a malicious directory has made a choice. But it does not resolve the underlying design problem SymJack’s independent discovery reinforces.
Coding agents that read instructions and file paths from the same untrusted source they act on will keep producing this class of bug until vendors resolve paths before asking, not after. Developers should treat every one of the 6 affected tools, and every unfamiliar repository, as a workspace that can lie to their tools, not just to them.