News
GhostApproval Flaw Hits Six Popular AI Coding Assistants

Researchers at Wiz uncovered a systemic vulnerability that lets a malicious repository trick an AI coding agent, via symbolic links, into overwriting sensitive files including SSH keys. The flaw affects Claude Code, Cursor, Amazon Q Developer and three other tools.
Contents
Security researchers at Wiz disclosed on July 8, 2026 a vulnerability dubbed GhostApproval that affects six of the most popular AI-powered coding assistants. A developer only needs to ask an agent for help working on a maliciously crafted repository, and the tool can overwrite files outside the working directory without the user's knowledge, including SSH access keys.
How the Attack Works
The mechanism relies on a classic Unix flaw known as CWE-61, symbolic link following. An attacker places a file in the repository that looks like an ordinary configuration file, for example project_settings.json, but is actually a link pointing to a sensitive location, such as the authorized_keys file in the user's .ssh directory.
When a developer asks the agent to edit or review that file, the tool follows the link and writes attacker-controlled content there, for instance the attacker's own SSH public key, effectively granting remote access to the victim's machine. The entire process bypasses the sandbox in which the agent was supposedly running isolated from the rest of the file system.
A Fake Consent Window
The second part of the problem is a flaw tracked as CWE-451, misleading interface presentation. Wiz researchers showed that in Claude Code tests, the model's internal reasoning correctly identified that the project_settings.json file was actually a zsh shell configuration, yet the confirmation dialog shown to the user only asked, 'Make this change to project_settings.json?', with no mention of the operation's true purpose.
This isn't a collection of isolated bugs, it's a design category the AI coding assistant industry hasn't reckoned with yet - Wiz Research
In other words, even when the model itself knows something is wrong, the interface shown to the human doesn't reflect that knowledge, so the consent a developer gives by clicking 'approve' isn't truly informed.
Vendor Responses Vary Widely
Amazon and Cursor responded fastest, issuing their own CVE numbers and shipping patches in Language Server version 1.69.0 and Cursor 3.0 respectively. Google confirmed the issue in Antigravity and rolled out a fix in version 1.19.6, with the CVE assignment process still underway.
Anthropic initially rejected the report as falling outside the company's threat model, arguing that users knowingly designate a trusted directory before starting a Claude Code session. Even so, later releases starting with version 2.1.32 added symbolic link detection and user warnings. Augment and Windsurf remain unpatched months after disclosure.
What It Means for Developers in Poland
For Polish teams using agentic coding tools, the takeaway is simple: work on an unknown or untrusted repository, such as a GitHub fork or a package from an outside contractor, should happen in an isolated environment rather than on a machine with access to production keys. It's also worth checking whether the tool version in use already has the fix, since for Augment and Windsurf the vulnerability remains open.
The case also points to a broader problem in agentic coding: the more autonomy a model gets over the file system, the harder it becomes to design a consent interface that actually informs the user of what their click will do. Wiz says it plans further testing of similar tools for the same class of bugs.
Sources: GhostApproval: AI Coding Assistant Trust Boundary Flaw (wiz.io), AI coding agents expose GhostApproval sandbox bypass (letsdatascience.com)


