News
GhostApproval: Security Flaw Hits Six AI Coding Assistants

Wiz Research detailed a technique called GhostApproval that uses symbolic links to trick Amazon Q, Claude Code, Cursor, Augment, Google Antigravity and Windsurf into writing files outside the project sandbox without the developer's knowledge.
Wiz Research has detailed a new attack technique called GhostApproval that lets a malicious repository trick an AI coding assistant into writing a file outside the project sandbox, even though the user formally approves the operation. The flaw affects six popular tools developers use every day.
The attack starts with a repository crafted by the attacker, where a file that looks innocent, such as project_settings.json, is actually a symbolic link pointing to a sensitive location, for example a directory holding SSH keys. When the developer asks the assistant to set up the working environment, the agent follows the link and writes attacker-supplied content there, such as a public SSH key that grants persistent, passwordless access to the victim's machine.
Where the flaw lies
Symlink following itself has been known for decades and is classified as CWE-61. What the Wiz researchers found goes a step further: in several cases the agent's internal reasoning correctly identifies the dangerous target of the operation, but the confirmation window shown to the user hides that information entirely.
During testing, Claude Code's internal reasoning explicitly stated that the project_settings.json file was actually a zsh configuration file. Despite that, the dialog shown to the user only asked whether they approved editing project_settings.json, with no mention of the real target. The agent knew, the user did not.
Confirmation dialogs must be gates, not undo mechanisms - Wiz Research researchers
Vendor responses
Three companies responded quickly. AWS released a fix in version 1.69.0 of its language server on May 27, 2026, and assigned it CVE-2026-12958. Cursor patched the issue in version 3.0 on June 5, 2026, under CVE-2026-50549. Google rolled out a fix on May 22, 2026, and is still evaluating whether to assign it a separate CVE.
Augment and Windsurf confirmed they received the report, but as of publication had not yet issued a full fix, leaving their users potentially exposed. Anthropic took a different approach and disputed that Claude Code's behavior constitutes a vulnerability, arguing that users who trust a project's directory bear responsibility for their own approval decisions.
What it means for developers
For teams using coding agents in their daily work, GhostApproval is a reminder that human-in-the-loop approval mechanisms don't automatically protect against manipulation if the interface displays different information than what the model is actually acting on. Opening an unknown repository and asking an agent to configure the environment without reviewing the working directory's contents remains a risky practice, especially with tools that have not yet received a fix.
Wiz researchers stressed that the problem goes beyond individual bugs in specific products and touches a broader design question the industry has not yet settled: how to ensure that what the user sees in the consent dialog actually matches what the agent will do. The vendors' diverging responses, from quick patches to dismissing the report as not a vulnerability, show that a shared standard on this question is still missing.
For Polish software companies and freelancers using Cursor, Claude Code or Amazon Q, the takeaway is practical: update tools to the latest versions, limit automatic execution of configuration commands on unfamiliar repositories, and treat AI agent confirmation dialogs with the same caution as links in suspicious emails.
Sources: Cybersecurity News (cybersecuritynews.com), Infosecurity Magazine (infosecurity-magazine.com)

