• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Sq Magazine LogoSQ Magazine

Smarter Insights for a Fast-Moving Digital World

  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Sq Magazine Logo
  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Home » Cybersecurity

Wiz Finds GhostApproval Flaw in 6 AI Coding Assistants

Published on: July 9, 2026
Sofia Ramirez
Written By
Sofia Ramirez
Sofia Ramirez
Senior Tech Writer • 479 Articles
Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps reader...
LATEST POSTS:
Accenture Confirms Breach After Hacker Lists Stolen Data
Adobe ColdFusion Max-Severity Flaw Now Under Attack
HP DeskJet 2800 Flaw Leaks Wi-Fi Passwords
Robert A. Lee
Reviewed By
Robert A. Lee
Robert A. Lee
Senior Editor • 400 Articles
Robert A. Lee is a journalist at SQ Magazine who unpacks the fast-moving worlds of gaming and internet trends. He tracks everything from maj...
LATEST POSTS:
How Many People Work At Amazon 2026: Headcount, Layoffs, Productivity
AI-Assisted MVP Development: Real Benefits and Real-World Use Cases
PS5 vs Xbox Series X 2026: Full Spec, Performance and Value Comparison
Ghostapproval Flaw In 6 Ai Coding Assistants Found
As Featured In
The New York Times LogoForbes LogoWired LogoDeloitte LogoResearch.com Logo
Share on LinkedIn ChatGPT Perplexity Share on X Share on Facebook

Wiz disclosed GhostApproval on July 8, 2026, a symlink-based vulnerability pattern letting malicious code repositories trick 6 AI coding assistants into writing files outside their sandbox. Three vendors have shipped fixes, two remain silent, and Anthropic rejected the finding as outside its threat model.

Quick Summary – TLDR:

  • Wiz identified GhostApproval, a flaw combining symlink following (CWE-61) with UI misrepresentation (CWE-451) across 6 AI coding assistants, according to Wiz.
  • AWS, Cursor, and Google fixed the issue promptly, while two other vendors acknowledged the report and went silent.
  • Anthropic’s Claude Code internally recognized the dangerous target, yet its confirmation prompt named only the harmless filename.
  • AWS patched the Amazon Q Developer language server in version 1.69.0 and assigned CVE-2026-12958 to track the fix, per Cyberpress.
  • In May 2026, Adversa AI’s SymJack research found the same symlink-approval pattern across six coding agents.

What Happened?

GhostApproval is a vulnerability pattern affecting 6 of the top AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. In each case, a malicious repository can trick the agent into accessing arbitrary files outside the workspace sandbox, potentially achieving remote code execution on the developer’s machine.

The bug class sits inside a well-known Unix weakness. A workspace file that looks like a harmless settings file is actually a symbolic link pointing somewhere else entirely, and CWE-61, a well-documented attack primitive, dates back decades.

Wiz reported the findings to all 6 vendors: AWS, Cursor, and Google fixed the issue promptly, two vendors acknowledged receipt but went silent, and Anthropic gave a reasoned rejection.

🚨 GhostApproval </>

A malicious repo can trick AI coding assistants into reading or writing files outside the workspace.

Wiz says symlink flaws affected Amazon Q Developer, #Claude Code, Augment, Cursor, #Google Antigravity, and Windsurf.

Learn how this attack works on THN 🠖… pic.twitter.com/V9tgTubPDR

— The Hacker News (@TheHackersNews) July 9, 2026

How the Approval Prompt Lied?

Anthropic’s Claude Code supplies the clearest example of the gap GhostApproval exposes. That gap is CWE-451, UI misrepresentation of critical information, layered on top of the symlink vulnerability, and Wiz’s testing caught it happening inside the agent’s own reasoning before the user ever saw a prompt.

The agent’s internal reasoning stated: I can see that `project_settings.json` is actually a zsh configuration file. The prompt shown to the developer, however, simply asked: Make this edit to `project_settings.json?`

The user approves what they believe is a harmless local edit while the agent writes to a sensitive file outside of the project workspace. When Wiz reported the Claude Code case, Anthropic pushed back: This falls outside our current threat model.

Anthropic argued that users implicitly accept risk once they trust a directory and approve a permission prompt inside it. The company later confirmed that Claude Code versions 2.1.32 and later, which shipped before the report was even filed, include symlink warnings as part of proactive security hardening, though it stopped short of crediting the disclosure for the change.

Vendor Responses Split Three Ways

Six vendors received the disclosure; three fixed the flaw, two acknowledged it without shipping a fix, and one rejected the classification. The split also breaks along a second, more consequential line: some tools merely mislabeled the target file, while Windsurf wrote file modifications directly to disk before the Accept/Reject buttons even appeared, and Augment performed both symlink reads and writes with no user confirmation whatsoever.

VendorProductStatusCVE
AWSAmazon Q DeveloperFixed (language server 1.69.0)CVE-2026-12958
CursorCursorFixed (v3.0)CVE-2026-50549
GoogleAntigravityFixed (v1.19.6)Pending
AugmentAugmentAcknowledged, no fix shippednone assigned
WindsurfWindsurfAcknowledged, no fix shippednone assigned
AnthropicClaude CodeRejected as outside threat modelnone assigned

AWS patched the Amazon Q Developer language server in version 1.69.0 and assigned CVE-2026-12958 to the fix, while Cursor addressed the flaw in version 3.0 and issued CVE-2026-50549. Google patched Antigravity in version 1.19.6 and is still assessing whether to issue a formal CVE.

The design gap is not confined to one vendor’s oversight. In May 2026, Adversa AI published SymJack, the same symlink-and-approval pattern against six coding agents, including Claude Code, Cursor, GitHub Copilot, and Grok Build. Two independent teams landing on the same pattern points to a shared design weakness: these agents follow a symlink using ordinary file operations, then ask for approval based on the path they were handed, not the path the write lands on.

Newsletter
Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

What’s Next?

Developers running any of the affected tools should update to the patched builds. Until Augment and Windsurf ship fixes, Wiz’s guidance for running the agent with limited file access, working inside a sandbox or container, and reviewing a repository’s README and hidden config files before letting it set up the workspace helps reduce the risk of a silent write to SSH keys or shell startup files. It does not eliminate it.

Expect Google to formalize its pending CVE, and expect scrutiny of Anthropic’s threat-model stance to continue given that its own fix shipped weeks before this report landed.

SQ Magazine’s Takeaway

GhostApproval is less a single bug than a demonstration that “human in the loop” only works when the loop is shown the truth. In several tests, the agent’s own reasoning identified the real, dangerous file target and then displayed a prompt naming the harmless one instead. That is not a sandbox failure a patch quietly closes; it is a consent mechanism that was never showing users what they were actually approving, and the 3 vendors that fixed it treated it as exactly that.

Anthropic’s rejection is coherent as a liability argument: a user who trusts a malicious directory has made a choice. But it does not resolve the underlying design problem SymJack’s independent discovery reinforces.

Coding agents that read instructions and file paths from the same untrusted source they act on will keep producing this class of bug until vendors resolve paths before asking, not after. Developers should treat every one of the 6 affected tools, and every unfamiliar repository, as a workspace that can lie to their tools, not just to them.

This article has been reviewed and fact-checked by Robert A. Lee. SQ Magazine follows strict Publishing Principles and a documented Fact-Check Policy to ensure accuracy, transparency, and editorial independence across all content.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News
Share ChatGPT Perplexity

References

  • Wiz: GhostApproval - A Trust Boundary Gap in AI Coding Assistants
Sofia Ramirez

Sofia Ramirez

Senior Tech Writer


Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Related Posts

Assuranceamerica Data Breach Exposes 6 9 Million Drivers
Cybersecurity

AssuranceAmerica Data Breach Exposes 6.9 Million Drivers

Xai Launches Grok 4 5
Artificial Intelligence

xAI Launches Grok 4.5, Elon Musk Calls It Opus-Class

Openai Launches Gpt Live Full Duplex Voice Models
Artificial Intelligence

OpenAI Launches GPT-Live Full-Duplex Voice Models

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Reader Interactions

Leave a Comment Cancel reply

Primary Sidebar

Connect With Us

facebook x linkedin google-news telegram pinterest whatsapp email
google-preferred-source-badge Add as a preferred source on Google

You Should Also Read

Accenture Confirms Breach After Hacker Lists Stolen Data
Adobe ColdFusion Max-Severity Flaw Now Under Attack
HP DeskJet 2800 Flaw Leaks Wi-Fi Passwords

Table of Contents

  • Quick Summary – TLDR:
  • What Happened?
  • How the Approval Prompt Lied?
  • Vendor Responses Split Three Ways
  • What’s Next?
  • SQ Magazine’s Takeaway
Connect on Telegram

Footer

SQ Magazine Logo

Smarter Insights for a Fast-Moving Digital World

Connect With Us

Follow Us on Google News

Editorial & Trust

  • About
  • Publishing Principles
  • Fact-Check Policy
  • Corrections Policy
  • Ethics Policy
  • Disclaimer

Worth Checking

  • Social Media Attention Span Stats
  • Gen Z Social Media Statistics
  • TikTok vs. Instagram Statistics
  • LLM Hallucination Statistics
  • Spotify User Statistics
  • Apple Customer Loyalty Statistics
Contact Us
13570 Grove Dr #189,
Maple Grove, MN 55311,
United States
10 a.m. to 6 p.m. | Every day

Copyright © 2022–2026 SQ Magazine. All Rights Reserved. Powered by the Neural Stack.

  • Privacy Policy
  • Terms
  • Accessibility Statement
Company
  • About Us
  • Our Team
  • Our Mission
  • Core Values
Discover
  • Brand Assets
    Brand Assets
  • Stats Methodology
    Stats Research Process
  • Glossary
    Glossary
Categories
  • Internet
  • Technology
  • Artificial Intelligence
  • Gaming
  • Cybersecurity
Internet
How Many People Work At Amazon
How Many People Work At Amazon 2026: Headcount, Layoffs, Productivity
Hulu Statistics
Hulu Statistics 2026: Subscribers, Revenue and Market Share
Spotify vs Apple Music Statistics
Spotify vs Apple Music Statistics 2026: Subscribers, Revenue, Market Share
Time Spent on TikTok Statistics
Time Spent on TikTok Statistics 2026: Daily Minutes by Age
Google Workspace Statistics
Google Workspace Statistics 2026: Users, Market Share and AI
YouTube vs TikTok Statistics
YouTube vs TikTok Statistics 2026: Users, Revenue, Creator Economy
Technology
Google Cloud Platform Statistics
Google Cloud Platform Statistics 2026: Market Growth
Asana Statistics
Asana Statistics 2026: Revenue, Customers, AI ARR and Market Share
AWS Statistics
AWS Statistics 2026: Revenue, Market Share and AI Growth
Adobe Creative Cloud Statistics
Adobe Creative Cloud Statistics 2026: Subscribers, Revenue and Market Share
Adobe Statistics
Adobe Statistics 2026: Revenue, ARR, and Workforce Data
Employee Productivity Statistics
Employee Productivity Statistics 2026: Engagement, Costs & Trends
Artificial Intelligence
Grammarly AI Statistics
Grammarly AI Statistics 2026: Users, Revenue, Funding, Rebrand
Copilot Statistics
Copilot Statistics 2026: Users, Adoption, Revenue and Market Share
AI Image Generation Statistics
AI Image Generation Statistics 2026: Market Size, Adoption & Risks
Machine Learning Adoption
Machine Learning Adoption in 2026: What Businesses Need to Know
AI Influencer Marketing Statistics
AI Influencer Marketing Statistics: Market Size and Engagement
AI Market Statistics
AI Market Statistics 2026: Size, Growth & Investment
Gaming
Online Gambling Regulations Statistics
Online Gambling Regulations Statistics 2026: Global Compliance and Enforcement Data
Fantasy Sports Statistics
Fantasy Sports Statistics 2026: Users, Revenue & Trends
Apex Legends Statistics
Apex Legends Statistics 2026: Players, Revenue, and Esports
Fortnite Statistics
Fortnite Statistics 2026: Players, Revenue, Esports, and Engagement
Gamers Statistics
Gamers Statistics 2026: Players, Habits & Global Data
Minecraft Statistics
Minecraft Statistics 2026: 300 Million Copies Sold & 212M Monthly Players
Cybersecurity
Password Statistics
Password Statistics 2026: Credential Theft, MFA, and the Passkey Tipping Point
Identity Theft Statistics
Identity Theft Statistics 2026: Key Fraud Data and Trends
CVE Statistics
CVE Statistics 2026: Severity Distribution and Top Affected Vendors
Dark Web AI Tool Marketplace Statistics
Dark Web AI Tool Marketplace Statistics 2026: Explosive Market Growth
API Security Breach Statistics
API Security Breach Statistics 2026: Hidden Threats
AI Voice Cloning Fraud Statistics
AI Voice Cloning Fraud Statistics 2026: Alarming Trends You Must Know Now
Categories
  • Cybersecurity
  • Artificial Intelligence
  • Internet
  • Technology
  • Gaming
Cybersecurity
Assuranceamerica Data Breach Exposes 6 9 Million Drivers
AssuranceAmerica Data Breach Exposes 6.9 Million Drivers
Accenture Confirms Breach After Hacker Lists Stolen Data
Accenture Confirms Breach After Hacker Lists Stolen Data
Adobe Coldfusion Max Severity Flaw Now Under Attack
Adobe ColdFusion Max-Severity Flaw Now Under Attack
Hp Deskjet 2800 Flaw Leaks Wi Fi Passwords
HP DeskJet 2800 Flaw Leaks Wi-Fi Passwords
Pamstealer Macos Malware Exposed
PamStealer Malware Verifies Stolen Mac Passwords Live
Google Fbi Disrupt Netnut Residential Proxy Network
Google, FBI Disrupt NetNut Residential Proxy Network
Artificial Intelligence
Xai Launches Grok 4 5
xAI Launches Grok 4.5, Elon Musk Calls It Opus-Class
Openai Launches Gpt Live Full Duplex Voice Models
OpenAI Launches GPT-Live Full-Duplex Voice Models
Trump Administration Clears Openai S Gpt 5 6 For Launch
Trump Administration Clears OpenAI’s GPT-5.6 for Launch
Anthropic Extends Claude Fable 5 Included Access
Anthropic Extends Claude Fable 5 Included Access
Anthropic Brings Claude Cowork To Phones And Web
Anthropic Brings Claude Cowork to Phones and Web
Terawulf Signs 20 Year 19 Billion Anthropic Lease
TeraWulf Signs 20-Year, $19 Billion Anthropic Lease
Internet
Whatsapp Launches Username Reservation Feature
WhatsApp Opens Username Reservations for Its 3 Billion Users
Chrome 149 Update Fixes Serious Vulnerabilities
Google Chrome 149 Fixes 18 Serious Security Flaws
Meta Hands Whatsapp Reins To Cred Founder Kunal Shah
Meta Hands WhatsApp Reins to CRED Founder Kunal Shah
Major X Outage Disrupts Users Worldwide
Major X Outage Disrupts Users Worldwide, Service Restored
Meta Adds 13 Plus Age Verification For Teen Safety
Meta Adds 13+ Content Settings and AI Age Checks for Teens
Telegram Restricted In India Temporarily
Telegram Restricted in India as NEET Fraud Crackdown Grows
Technology
Microsoft Lays Off 4800 Employees
Microsoft Cuts 4,800 Jobs, Resets Xbox Strategy
Chrome Update Fixes 382 Vulnerabilities
Chrome 150 Patches 382 Security Fixes, 15 Critical
Apple Leak Reveals Six New Iphones For 2027
Massive Apple Leak Reveals Six New iPhones for 2027
Google Finance Comes Out Of Beta With Android App
Google Finance Gets Major AI Upgrade and New Android App
Windows Recycle Bin Bug Confirmed After June Security Update
Windows Recycle Bin Bug Confirmed After June Security Update
Apple Urgently Fixes Beats Studio Buds Bug
Apple Urgently Fixes Beats Studio Buds Bug That Enabled Spying
Gaming
Gta Vi Official Cover Art
GTA 6 Pre-Orders Start June 25, New Cover Art Unveiled
Epic Games Teases Unreal Engine 6 For Rocket League
Epic Games Teases Unreal Engine 6 for Rocket League
Stardew Valley Launched For Nintendo Switch 2 Edition
Stardew Valley Switch 2 Edition Arrives with Online Co-op
Hogwarts Legacy Game Crosses 40m Downloads
Hogwarts Legacy Crosses 40M Sales, Beating Industry Giants
Pubg Black Budget Closed Alpha Launched
PUBG: Black Budget Launches Closed Alpha Test With a Bold PvPvE Twist
Counter Strike 2 Skin Market Crashes After Valve Update
Counter-Strike 2’s $5.9 Billion Skin Economy Just Got Shattered
Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.