A systemic security flaw in six major AI coding assistants allows attackers to bypass workspaces and execute code on developers’ machines via symbolic link attacks, dubbed “GhostApproval.”
Google-owned Wiz identified the vulnerability and alerted Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Amazon, Cursor, and Google patched the issue, issuing CVEs (CVE-2026-12958 and CVE-2026-50549). Augment and Windsurf acknowledged the report but have not addressed the flaw.
Modern AI agents, while accelerating development, risk undermining security fundamentals. Classic principles like symlink resolution remain critical as autonomous tools integrate with local systems.
Anthropic dismissed the vulnerability as “outside our threat model,” with internal reasoning acknowledging the symlink but ignoring user-facing risks. This reflects a broader “trust-boundary debate”—whether users alone should shoulder security responsibility in AI workflows. Critics argue confirmation prompts often obscure critical details, rendering user approval meaningless.
The exploit leverages symlinks—decades-old Unix shortcuts—to trick agents into writing malicious data to sensitive files like ~/.ssh/authorized_keys. Attackers create repos with disguised symlinks, prompting agents to execute unsafe actions under user consent. Wiz notes that UI confirmations fail to reveal the true target, allowing attackers to escalate privileges undetected.
While no active exploitation has been reported, the flaw poses severe risks for enterprises adopting AI coding tools. Wiz warns that these agents often operate with broad system access, making even theoretical vulnerabilities high-impact.

