Full Report
Researchers at Wiz found that a flaw in six popular AI coding assistants lets a booby-trapped code project quietly take control of a developer's computer. The assistant asks permission to edit one harmless-looking file, but the write lands on a sensitive one instead. The affected tools are Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf.
Analysis Summary
# Vulnerability: GhostApproval Symlink Exploitation in AI Coding Assistants
## CVE Details
- **CVE ID:** CVE-2026-12958 (Amazon Q), CVE-2026-50549 (Cursor), Pending (Google Antigravity)
- **CVSS Score:** Not explicitly listed in the article (High Severity inferred due to Arbitrary Code Execution/Unauthorized Access)
- **CWE:** [CWE-451: User Interface (UI) Misrepresentation of Critical Information](https://cwe.mitre[.]org/data/definitions/451.html) (Informed-Consent Bypass)
## Affected Systems
- **Products:**
- Amazon Q Developer
- Anthropic Claude Code
- Augment
- Cursor
- Google Antigravity
- Windsurf
- **Versions:**
- Amazon Q Developer: Versions prior to Language Server `1.69.0`
- Cursor: Versions prior to `v3.0`
- Anthropic Claude Code: All versions (as of publication, though warnings were added)
- **Configurations:** Systems where AI assistants are granted permissions to edit files within a workspace containing malicious symbolic links.
## Vulnerability Description
GhostApproval is a trust-boundary gap where AI coding assistants fail to properly validate symbolic links (symlinks) within a repository. An attacker can create a malicious repository containing a symlink that appears to be a harmless project file (e.g., `project_settings.json`) but actually points to a sensitive file outside the project directory (e.g., `~/.ssh/authorized_keys` or `~/.zshrc`).
When a developer instructs the AI to modify the "harmless" file, the AI writes the attacker-controlled data through the symlink into the sensitive target. The flaw is compounded by a UI misrepresentation: the approval dialog shown to the developer displays the name of the symlink rather than the actual file path being modified, leading to an informed-consent bypass.
## Exploitation
- **Status:** PoC available (demonstrated by Wiz researchers); no known exploitation in the wild.
- **Complexity:** Medium
- **Attack Vector:** Local (via interaction with a malicious repository)
## Impact
- **Confidentiality:** High (Potential to read/exfiltrate sensitive credentials like AWS keys)
- **Integrity:** High (Ability to overwrite SSH keys or shell configuration files)
- **Availability:** High (Potential for full system takeover)
## Remediation
### Patches
- **Amazon Q Developer:** Update to Language Server `1.69.0` or later.
- **Cursor:** Update to `v3.0` or later via the extension manager.
- **Google Antigravity:** Update to the latest current version.
### Workarounds
- **Strict Repository Trust:** Only use AI assistants with repositories from highly trusted sources.
- **Manual Review:** For tools like Claude Code that now provide warnings, carefully inspect all symlink alerts before approving edits.
- **Environment Isolation:** Run AI coding agents within isolated containers or virtual machines to prevent access to the host's sensitive configuration files.
## Detection
- **Indicators of Compromise:**
- Unexpected entries in `~/.ssh/authorized_keys`.
- Unexplained modifications to shell startup scripts (`.zshrc`, `.bashrc`).
- Presence of symlinks in repositories pointing to absolute system paths.
- **Detection Methods:**
- Audit IDE/Extension logs for file-write operations.
- Use filesystem monitoring tools to alert on changes to sensitive hidden directories (`.ssh`, `.aws`).
## References
- Wiz Research Blog: [https://www.wiz[.]io/blog/ghostapproval-a-trust-boundary-gap-in-ai-coding-assistants]
- Cursor Security Advisory: [https://github[.]com/cursor/cursor/security/advisories/GHSA-3v8f-48vw-3mjx]
- The Hacker News Article: [https://thehackernews[.]com/2026/07/ghostapproval-symlink-flaws-could-let.html]