AI/ML

‘GhostApproval’ technique leads AI coding tools to alter files outside of sandbox

A technique dubbed “GhostApproval” could enable malicious code repositories to trick AI coding assistants into editing files outside of their intended workspaces, Wiz reported Wednesday.

The method, developed as a proof-of-concept by Wiz, abuses symbolic links, or symlinks, which are files that point to another file by storing its pathname. A malicious GhostApproval repo contains a README file instructing the AI to edit a file within the repo, which is actually a symlink to another sensitive file on the victim’s machine, outside of the workspace or sandbox.

Wiz demonstrated how this technique could be used to write the attacker’s SSH public key to the victim’s “~/.ssh/authorized_keys” file, giving the attacker SSH access to the victim’s system. Six different AI coding assistants were tested, and all of the assistants performed the file write without adequately warning the user, Wiz researchers said.

The six products tested were Amazon Q Developer, Anthropic Claude Code, Augment Code, Cursor, Google Antigravity and Windsurf. As of this writing, Amazon Web Service (AWS), Anthropic, Cursor and Google have issued fixes for GhostApproval, and Windsurf’s report remains pending. Augment Code told SC Media it does not consider GhostApproval to be a vulnerability.

AWS, Cursor, Google and Anthropic updates address symlink abuse

AWS patched the issue in Language Servers for AWS version 1.69.0 in May, tracking it as CVE-2026-12958 with a CVSS score of 7.8. The vulnerability was disclosed in an AWS security bulletin on June 23, 2026. Wiz found that Amazon Q Developer wrote the SSH public key to the target filesystem before giving the user the option to “undo” the action, while also identifying the decoy file (project_settings.json) as a symlink in its output while setting up the workspace.

"The AWS Language Server updates automatically unless the customer's network configuration prevents it, so no action is required in most cases. For existing customers, reloading the IDE will trigger an update to the latest language server version, which includes this fix,” an AWS spokesperson said in a public statement. “If auto-update is blocked, we recommend upgrading to the latest version of the Amazon Q Developer plugin for your IDE. New customers require no action, as the latest patched version will be downloaded automatically.”

Cursor also fixed the flaw in Cursor v3.0, tracking it as CVE-2026-50549 with a CVSS score of 9.8. Cursor performed the file write outside of its sandbox with user approval, however, the diff displayed in the user interface (UI) only showed changes to project_setting.json and not the symlink path, weakening the human-in-the-loop protection.

Cursor issued an advisory for CVE-2026-50549 on June 5, 2026, encouraging users to update to version 3.0. Cursor credited both Wiz Threat Researcher Maor Dokhanian and Cato AI Labs in its advisory.

Google fixed the GhostApproval flaw in Google Antigravity in May and is currently assessing CVE issuance, according to Wiz. Similar to Cursor, Antigravity displayed “project_settings.json” rather than the resolved path in its permission dialog, ultimately performing the write to ~/.ssh/authorized_keys.

Anthropic Claude Code, when first tested by Wiz, identified the symlink in its “thinking” process but only prompted the user for changes to “project_settings.json” in its permission dialog. Anthropic added a warning for symlinks to Claude Code v2.1.32 on Feb. 5, 2026, prior to receiving Wiz’s report, as part of “proactive security hardening based on internal review,” according to statement provided to Wiz by Anthropic.

Anthropic’s initial response indicated the issue “falls outside of the Claude Code threat model,” as users are required to confirm they trust the directory prior to starting the session. However, Anthropic indicated this message was “an autoreply from our triage system.”

Augment Code says GhostApproval not a vulnerability, Windsurf report still pending

The GhostApproval issue remains unaddressed in Augment Code and Windsurf. Wiz said both companies acknowledged the reports but have not provided further updates to the company.

In Augment Code, Wiz demonstrated a SSH public key write to ~/.ssh/authorized_keys as well as shell persistence via ~/.zhrc, with the assistant acknowledging the symlink to the zsh configuration file in its chat output. However, the assistant performed both writes without any permission dialog. Additionally, Wiz showed Augment Code could read outside of its workspace by following a symlink to a file containing fake AWS keys.

An Augment spokesperson told SC Media that the company was able to reproduce Wiz’s findings but said the behavior is expected product behavior and not a vulnerability.

“A coding agent by design needs to edit and run code to be useful, which means it operates under your credentials. The symlink technique is clever, but it's lock-picking a gate that's already open: an agent that can edit and execute code can access your files,” the spokesperson stated.

Augment added that GhostApproval is an issue of shared responsibility.

“Developers need to vet third-party code before bringing it into a privileged environment, just as they would any code execution. No patch can separate an agent's ability to edit and run code from its ability to access the file system, so we are not issuing one,” Augment’s statement concluded.   

In Windsurf, the assistant wrote the SSH public key outside of the workspace prior to displaying a prompt asking the user to accept or reject the changes, according to Wiz.

“The confirmation dialog isn’t an authorization – it’s an undo mechanism,” the Wiz researchers wrote.

SC Media reached out to Windsurf to ask whether it has investigated the issue and plans to issue a fix, and did not receive a response.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds