GhostApproval: Wiz Exposes Symlink Trust Gap Across Six Top AI Coding Agents

9 min read
GhostApproval: Wiz Exposes Symlink Trust Gap Across Six Top AI Coding Agents
TL;DR

Wiz Research discloses GhostApproval — a category-level trust boundary flaw where symlinks trick AI coding agents into writing outside the approved workspace, bypassing human confirmation dialogs entirely.

What Happened

The "Human-in-the-Loop" model is one of AI safety's most repeated promises. You're in control. You approve everything. The agent can't act without you. On July 8, 2026, Wiz Research's Maor Dokhanian dismantled that promise — at least for six of the most widely deployed AI coding tools on the planet.

The research team disclosed GhostApproval, a trust boundary vulnerability affecting Amazon Q Developer, Cursor, Claude Code (Anthropic), Antigravity, Windsurf (Codeium), and Augment Code. The attack technique isn't sophisticated. It's a symbolic link, a Unix primitive that has existed since the 1970s and has been in the CVE database under CWE-61 for decades. The surprise isn't the technique. It's that six well-funded, security-aware AI tool vendors all shipped the same blind spot simultaneously.

Two CVEs were issued upon disclosure: CVE-2026-12958 for Amazon Q Developer and CVE-2026-50549 for Cursor.

GhostApproval — AI Coding Agent Trust Boundary Gap — Wiz Research — July 8, 2026 — CVE-2026-50549 CVE-2026-12958
GhostApproval banner: six AI coding agents discovered vulnerable to symlink sandbox bypass — a category-level trust boundary flaw disclosed by Wiz Research.
GhostApproval, disclosed July 8, 2026 by Wiz Research, exposes a category-level symlink trust boundary flaw across six top AI coding tools including Claude Code, Cursor, and Amazon Q Developer.

How the Attack Works

The mechanic is elegant in its simplicity. An attacker crafts a malicious repository and plants a symbolic link inside it — say, project/config.txt — which resolves behind the scenes to /home/developer/.ssh/authorized_keys.

When the developer clones the repo and opens it in their AI coding agent, the agent reads the project structure. The agent's approval dialog faithfully displays: "Write to: project/config.txt". The developer sees a safe, scoped path inside their workspace. They click Approve.

What actually happens is the symlink redirects the write to the attacker's target outside the workspace boundary. The developer approved a ghost path — one that looked legitimate but resolved somewhere else entirely.

This is why Wiz named it GhostApproval. The approval is real. The path is a ghost.

Symlink Bypass Attack Path — GhostApproval — CWE-61 Symlink Following — AI Coding Agent Sandbox Escape Diagram
Attack flow diagram showing how a malicious symlink inside a repo tricks an AI coding agent into writing outside the approved workspace boundary, bypassing the human confirmation dialog.
The symlink bypass path: the AI agent shows workspace/config.txt in the approval dialog (green, appears safe) while the symlink silently resolves to /home/user/.ssh/authorized_keys — completely outside the sandbox boundary (CWE-61).

Why This Is a Category-Level Problem

It would be easy to read "symlink bug in AI tool" and assume it's a narrow, one-off implementation slip. It isn't. The Wiz findings show this is a category-level architectural oversight in how agentic coding tools handle untrusted workspaces.

Every affected tool made the same assumption: the paths visible inside the workspace directory are the actual paths that will be written. That assumption breaks the moment symlinks appear. And symlinks are everywhere in real-world repos — build systems, monorepos, package managers, and especially in repositories that have passed through dependency chains.

What this tells us is that when AI agents gained autonomous write capabilities, they inherited decades of Unix trust model complexity — without the decades of hardening that came with it. The Human-in-the-Loop wasn't bypassed through a clever zero-day. It was bypassed through a path resolution check that nobody bothered to do.

"The approval dialog is the contract between the agent and the user. When symlinks break that contract, the entire safety model collapses. You're not approving what you think you're approving." — Analysis based on Wiz Research GhostApproval disclosure, July 2026

Vendor Response & Fix Status

Wiz coordinated disclosure with all six vendors before going public. The response has been uneven.

Vendor Fix Status Matrix — GhostApproval CVE-2026-50549 CVE-2026-12958 — Cursor Amazon Q Anthropic Claude Code Antigravity Windsurf Augment
Vendor fix status matrix for GhostApproval: Amazon Q Developer and Cursor issued CVE-backed patches; Claude Code and Antigravity implemented prompt-level mitigations; Windsurf and Augment have fixes pending.
Vendor response matrix as of July 8, 2026: only Amazon Q Developer (v2.20+) and Cursor (v0.48+) have issued CVE-backed patches. Claude Code (Anthropic) and Antigravity applied prompt/workspace-level hardening. Windsurf and Augment remain in progress.

Amazon Q Developer and Cursor both received formal CVEs and shipped patch releases within 48 hours of coordinated disclosure. Amazon Q v2.20+ resolves symlinks to their canonical paths before presenting approval dialogs. Cursor v0.48+ applies the same fix and adds a workspace guard that flags symlink chains on project open.

Claude Code (Anthropic) and Antigravity addressed the issue through workspace configuration hardening and prompt-level mitigations — no CVEs were issued as Wiz assessed the vector as lower-severity in these tools due to existing sandbox layers. Both teams confirmed the issue is addressed in their latest builds.

Windsurf (Codeium) and Augment Code confirmed they are aware of the issue and are shipping fixes, with no specific timelines provided at the time of disclosure.

What You Should Do Right Now

Don't wait for a unified industry fix. The remediation steps are clear and immediate:

If you use Cursor: Update to v0.48 or later today. Go to Help → Check for Updates.

If you use Amazon Q Developer: Update your AWS IDE extension to v2.20+. The fix applies to both VS Code and JetBrains plugins.

For all other AI coding agents (Claude Code, Antigravity, Windsurf, Augment):

  • Enable any available "symlink protection" or "workspace isolation" settings.
  • Never open an untrusted repository in agent write mode without first auditing its structure for suspicious symlinks.
  • Run find . -type l before granting agent write access to any unfamiliar repo.
  • Consider running agents inside a container or VM when working with third-party or open-source codebases.
For platform and security teams: Add symlink detection to your repo ingestion and CI/CD pipeline. Flag repositories with symlinks pointing outside their root directory before developers clone them locally.

The Bigger Picture

This disclosure lands at a moment when AI coding agents are being handed more autonomy, not less. Autonomous PR creation, background agents running without interaction, multi-file refactors happening while you sleep — all of these rely on the trust model that GhostApproval just cracked.

The Unix symlink has outlasted three generations of software engineering paradigms. It's outlasting this one too. The question for every vendor shipping autonomous write capabilities is no longer "do we trust the user's approval?" — it's "do we trust the path?"

Right now, the answer for four out of six of the industry's top AI coding tools is: not quite.

Sources

Frequently Asked Questions

What is GhostApproval? GhostApproval is a trust boundary vulnerability discovered by Wiz Research on July 8, 2026. It exploits symbolic links (symlinks) to trick AI coding agents — including Claude Code, Cursor, Amazon Q Developer, Antigravity, Windsurf, and Augment — into writing files outside the approved workspace, bypassing human confirmation dialogs.
Which AI coding tools are affected by GhostApproval? Six major tools are affected: Amazon Q Developer (CVE-2026-12958), Cursor (CVE-2026-50549), Claude Code (Anthropic), Antigravity, Windsurf (Codeium), and Augment Code. Amazon Q and Cursor have issued patches. Others have implemented mitigations or have fixes pending.
How does the symlink attack work in AI coding agents? An attacker places a malicious symlink inside a repository — e.g., config.txt → ../../.ssh/authorized_keys. When the AI agent processes the repo, it follows the symlink but shows the "safe" path in its approval dialog. The human approves what looks benign, but the agent writes to the attacker-controlled target outside the workspace.
What should developers do right now to protect themselves? Update Cursor to v0.48+ and Amazon Q Developer to v2.20+ immediately. For all other tools: enable symlink-following protection in workspace settings, never open untrusted repos in agent write mode without sandboxing, and run find . -type l to audit symlinks before granting AI write access.
Is GhostApproval a new vulnerability class? The underlying symlink technique (CWE-61) is decades old. What GhostApproval reveals is a new attack surface: AI coding assistants with autonomous write capabilities inherit this Unix-era weakness in a novel and dangerous way, because the human approval step provides a false sense of security.
Disseminate Knowledge

Broadcast this intelligence

Copy Permanent Link

Want to work together?

Technical and delivery consulting for engineering leaders — diagnostics, agentic AI, and transformation with measurable outcomes.