GhostApproval: the coding-agent approval prompt that hides the real target
Wiz Research disclosed on July 8, 2026 a trust-boundary flaw in six AI coding assistants: a malicious repo uses a symlink so an approved edit to a harmless file silently writes to ~/.ssh/authorized_keys.
What is this?
On July 8, 2026, Wiz Research published GhostApproval, a systematic trust-boundary flaw found across six of the most popular AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. The finding is a defensive disclosure — reported to all six vendors before publication — that documents a category-level blind spot rather than a novel attack against any single product.
The core problem is not exotic. It combines a decades-old primitive — symbolic-link following (CWE-61) — with something newer and more interesting: the confirmation prompt these agents show you does not reveal where the write is actually going. The human is nominally “in the loop,” but the loop is fed misleading information.
How it works
A malicious repository ships a file that looks ordinary, say project_settings.json, but is actually a symlink pointing outside the workspace — to ~/.ssh/authorized_keys, ~/.zshrc, or another sensitive target. The repo’s README contains plain instructions like “to set up this project, update project_settings.json with the following,” along with an attacker-supplied SSH public key.
When the developer clones the repo and asks their assistant to “set up the workspace” or “follow the README,” the agent reads the instruction and writes to project_settings.json. Because the tool never resolves the symlink to its canonical path, the write lands on the real target. The attacker’s key is appended to authorized_keys, granting persistent, password-less remote access — the confused-deputy pattern applied to an autonomous file writer.
The second, sharper failure is a user-interface misrepresentation (CWE-451). Wiz observed several agents whose internal reasoning explicitly recognised the danger — one stated that the file “is actually a zsh configuration file” — while the dialog shown to the user asked only, “Make this edit to project_settings.json?” The agent knew; the user was not told. That turns a sandbox check into an informed-consent bypass: consent is formally present but substantively empty.
Wiz found variations across all six tools. Some (Amazon Q Developer, Windsurf) wrote to disk before the approval buttons appeared, making the dialog an undo prompt rather than a gate. Augment performed both symlink reads — surfacing the contents of a file outside the workspace in chat — and writes with no confirmation at all. The proof-of-concept is a two-line repository setup, so the barrier to abuse is a pull request or a dependency, not deep skill.
Why it matters
Human-in-the-loop is the primary safety story for autonomous coding agents, and GhostApproval shows how thin that story can be when the loop lacks accurate information. This is closely related to earlier symlink-approval work such as SymJack, but the emphasis here is the trust-boundary and consent angle: the security control exists, yet fails to surface what the user needs to decide.
The vendor responses split, which is itself instructive. Google, AWS, and Cursor treated it as a vulnerability and shipped fixes. Anthropic disputed that Claude Code’s behaviour was a bug, arguing that a user who trusts a directory and approves an edit owns that decision — placing the deceptive-workspace scenario outside its threat model (Anthropic separately noted a symlink warning had already shipped in an earlier hardening release). The disagreement is a genuine design-philosophy question: should a tool protect users from workspaces engineered to deceive them, or is spotting a malicious repo the user’s job? For developers running agents over untrusted third-party code — exactly what these tools are sold to do — the practical answer has to be defensive regardless of where the line is drawn. It is the same lesson as the overeager-agent problem: capability without a faithful control surface is a liability.
Defenses
Resolve symlinks before you prompt. The fix Wiz recommends is to canonicalise the target path and show the resolved destination in the confirmation dialog. A write to ~/.ssh/authorized_keys should never be displayed as an edit to ./config.json.
Make the dialog a gate, not an undo button. Never write to disk before explicit authorization. Pre-authorization writes defeat the entire purpose of human oversight — by the time you click, the damage is done.
Warn on any write outside the workspace. Treat writes whose canonical path escapes the project root as high-risk and require an elevated, explicit confirmation that names the real file.
Sandbox untrusted repositories and disable auto-approve. Run agents over unknown code inside an isolated environment, and keep auto-approve modes off for third-party projects. Update the tools that have shipped fixes (Amazon Q Developer, Cursor, Google Antigravity); for the others, assume the behaviour is still present.
Monitor the sensitive sinks. Alert on modifications to ~/.ssh/authorized_keys, shell rc files, and other persistence paths — especially when the writing process is an AI coding assistant operating on a freshly cloned repo.
Status
| Vendor / tool | Status | Reference |
|---|---|---|
| Amazon Q Developer | Fixed (language server 1.69.0) | CVE-2026-12958 (AWS advisory) |
| Cursor | Fixed (v3.0) | CVE-2026-50549 (Cursor advisory) |
| Google Antigravity | Fixed; CVE assessment pending | — |
| Augment | Acknowledged, no fix at disclosure | — |
| Windsurf | Acknowledged, no fix at disclosure | — |
| Anthropic Claude Code | Disputed (“outside threat model”); symlink warning noted in prior release | — |
| Disclosure | Discovered Feb 10, 2026; public July 8, 2026 (Wiz Research) | — |
Sources
- → https://www.wiz.io/blog/ghostapproval-a-trust-boundary-gap-in-ai-coding-assistants
- → https://threat-modeling.com/ghostapproval-symlink-ai-coding-assistants-amazon-q-claude-code-cursor/
- → https://github.com/cursor/cursor/security/advisories/GHSA-3v8f-48vw-3mjx
- → https://github.com/aws/language-servers/security/advisories/GHSA-6v3r-4p5c-mrp5
- → https://cwe.mitre.org/data/definitions/451.html