News
GhostApproval Flaw Lets Attackers Hijack Computers via Fake AI Editor Approval

Researchers at Wiz described a systemic vulnerability in six popular AI coding agents, including Cursor, Claude Code, and Amazon Q, that uses symlinks to overwrite sensitive files despite an apparent user approval.
Security research firm Wiz disclosed on July 8 a vulnerability named GhostApproval that affects six of the most popular AI-based coding agents. The attack relies on a decades-old symbolic link trick to bypass the approval prompt meant to protect users from dangerous changes to disk.
How the attack works
The scenario is easy to reproduce. An attacker prepares a repository where a file with an innocuous name, say project_settings.json, is actually a symbolic link pointing to a sensitive system location, such as the authorized_keys file in the SSH directory or the .zshrc shell startup file. The repository includes a README instructing the AI agent to update this seemingly ordinary configuration file.
When a developer opens such a project and asks the assistant for help, the agent reads the instruction from the README and prepares an edit. This is where the core problem shows up: the confirmation window displays the name of the source file, project_settings.json, rather than the actual path the symlink points to. The user clicks approve, unaware that they are in fact authorizing an overwrite of their SSH keys or the injection of malicious code into their shell environment.
Differences between vendors
Wiz's analysis found that individual vendors made the same mistake in different ways. Cursor displayed the symlink's path in its diff interface, but the backend silently wrote the data to the real target anyway. Windsurf was even worse: it wrote the file to disk before showing the approval button at all, making the consent window pure theater since the damage was already done. Augment followed symlinks both on read, which allowed credentials to be exfiltrated, and on write, without any dialog box whatsoever.
The most troubling case involves Anthropic's Claude Code. Researchers found that the agent's internal reasoning correctly identified the dangerous target of the operation, but the final message shown to the user was neutral, simply asking whether to apply the edit to project_settings.json. In other words, the model knew something was wrong but never passed that knowledge on.
The agent's internal reasoning clearly recognizes the dangerous target, yet the confirmation prompt shown to the user completely hides that information - Wiz researchers
Vendor responses
Amazon responded most systematically, shipping a fix in version 1.69.0 along with an official CVE number. Google fixed the issue in Antigravity in version 1.19.6, rating it critical. Cursor released version 3.0 with a fix and its own CVE number. Augment and Windsurf acknowledged the report but had not published patches by the time the report was published.
Anthropic took a position different from the rest of the industry. The company initially rejected the report, arguing that a user who trusted a repository and approved the prompt bears responsibility for the consequences. Despite that stance, starting with version 2.1.32, released even before the vulnerability was publicly disclosed, Claude Code now resolves symlinks and warns before writing to sensitive files.
What it means for developers
GhostApproval strikes at a weak point of an entire category of tools, not a single product. Coding agents are gaining ever broader access to the file system in the name of convenience, and the approval mechanisms meant to balance that turn out to be illusory when the interface shows something other than the operation actually being performed. For development teams in Poland using Cursor, Claude Code, or Amazon Q, this means updating to the latest versions and exercising caution when opening unfamiliar repositories, especially ones downloaded from public sources or attached to bug reports.
Wiz researchers stress that the problem is systemic rather than incidental. It stems from the tension between the growing autonomy of AI agents and the need to preserve genuine human oversight over what is actually happening on one's computer. Symlinks as an attack vector date back to the early days of Unix, but only now, in the context of AI agents with broad file-system permissions, is the full scale of the risk becoming clear.
Companies planning to roll out coding agents at scale should treat operation approval windows as something requiring its own security audit, rather than a ready-made protective mechanism supplied by the vendor. It's also worth restricting agents' write permissions outside a project's working directory wherever possible.
Sources: GhostApproval: A Trust Boundary Gap in AI Coding Assistants (wiz.io), GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents (thehackernews.com)

