Wiz Research discloses GhostApproval — a category-level trust boundary flaw where symlinks trick AI coding agents into writing outside the approved workspace, bypassing human confirmation dialogs entirely.
What Happened
The "Human-in-the-Loop" model is one of AI safety's most repeated promises. You're in control. You approve everything. The agent can't act without you. On July 8, 2026, Wiz Research's Maor Dokhanian dismantled that promise — at least for six of the most widely deployed AI coding tools on the planet.
The research team disclosed GhostApproval, a trust boundary vulnerability affecting Amazon Q Developer, Cursor, Claude Code (Anthropic), Antigravity, Windsurf (Codeium), and Augment Code. The attack technique isn't sophisticated. It's a symbolic link, a Unix primitive that has existed since the 1970s and has been in the CVE database under CWE-61 for decades. The surprise isn't the technique. It's that six well-funded, security-aware AI tool vendors all shipped the same blind spot simultaneously.
Two CVEs were issued upon disclosure: CVE-2026-12958 for Amazon Q Developer and CVE-2026-50549 for Cursor.

How the Attack Works
The mechanic is elegant in its simplicity. An attacker crafts a malicious repository and plants a symbolic link inside it — say, project/config.txt — which resolves behind the scenes to /home/developer/.ssh/authorized_keys.
When the developer clones the repo and opens it in their AI coding agent, the agent reads the project structure. The agent's approval dialog faithfully displays: "Write to: project/config.txt". The developer sees a safe, scoped path inside their workspace. They click Approve.
What actually happens is the symlink redirects the write to the attacker's target outside the workspace boundary. The developer approved a ghost path — one that looked legitimate but resolved somewhere else entirely.
This is why Wiz named it GhostApproval. The approval is real. The path is a ghost.

workspace/config.txt in the approval dialog (green, appears safe) while the symlink silently resolves to /home/user/.ssh/authorized_keys — completely outside the sandbox boundary (CWE-61).Why This Is a Category-Level Problem
It would be easy to read "symlink bug in AI tool" and assume it's a narrow, one-off implementation slip. It isn't. The Wiz findings show this is a category-level architectural oversight in how agentic coding tools handle untrusted workspaces.
Every affected tool made the same assumption: the paths visible inside the workspace directory are the actual paths that will be written. That assumption breaks the moment symlinks appear. And symlinks are everywhere in real-world repos — build systems, monorepos, package managers, and especially in repositories that have passed through dependency chains.
What this tells us is that when AI agents gained autonomous write capabilities, they inherited decades of Unix trust model complexity — without the decades of hardening that came with it. The Human-in-the-Loop wasn't bypassed through a clever zero-day. It was bypassed through a path resolution check that nobody bothered to do.
Vendor Response & Fix Status
Wiz coordinated disclosure with all six vendors before going public. The response has been uneven.

Amazon Q Developer and Cursor both received formal CVEs and shipped patch releases within 48 hours of coordinated disclosure. Amazon Q v2.20+ resolves symlinks to their canonical paths before presenting approval dialogs. Cursor v0.48+ applies the same fix and adds a workspace guard that flags symlink chains on project open.
Claude Code (Anthropic) and Antigravity addressed the issue through workspace configuration hardening and prompt-level mitigations — no CVEs were issued as Wiz assessed the vector as lower-severity in these tools due to existing sandbox layers. Both teams confirmed the issue is addressed in their latest builds.
Windsurf (Codeium) and Augment Code confirmed they are aware of the issue and are shipping fixes, with no specific timelines provided at the time of disclosure.
What You Should Do Right Now
Don't wait for a unified industry fix. The remediation steps are clear and immediate:
If you use Cursor: Update to v0.48 or later today. Go to Help → Check for Updates.
If you use Amazon Q Developer: Update your AWS IDE extension to v2.20+. The fix applies to both VS Code and JetBrains plugins.
For all other AI coding agents (Claude Code, Antigravity, Windsurf, Augment):
- Enable any available "symlink protection" or "workspace isolation" settings.
- Never open an untrusted repository in agent write mode without first auditing its structure for suspicious symlinks.
- Run
find . -type lbefore granting agent write access to any unfamiliar repo. - Consider running agents inside a container or VM when working with third-party or open-source codebases.
The Bigger Picture
This disclosure lands at a moment when AI coding agents are being handed more autonomy, not less. Autonomous PR creation, background agents running without interaction, multi-file refactors happening while you sleep — all of these rely on the trust model that GhostApproval just cracked.
The Unix symlink has outlasted three generations of software engineering paradigms. It's outlasting this one too. The question for every vendor shipping autonomous write capabilities is no longer "do we trust the user's approval?" — it's "do we trust the path?"
Right now, the answer for four out of six of the industry's top AI coding tools is: not quite.
Sources
- Wiz Research: GhostApproval — A Trust Boundary Gap in AI Coding Assistants
- The Register: Bug in top AI coding agents shows that Unix-era security headaches never really die
- SecurityWeek: AI Coding Tools Tricked Into Hacking Developer Machine Via Decades-Old Technique
Frequently Asked Questions
What is GhostApproval?
GhostApproval is a trust boundary vulnerability discovered by Wiz Research on July 8, 2026. It exploits symbolic links (symlinks) to trick AI coding agents — including Claude Code, Cursor, Amazon Q Developer, Antigravity, Windsurf, and Augment — into writing files outside the approved workspace, bypassing human confirmation dialogs.Which AI coding tools are affected by GhostApproval?
Six major tools are affected: Amazon Q Developer (CVE-2026-12958), Cursor (CVE-2026-50549), Claude Code (Anthropic), Antigravity, Windsurf (Codeium), and Augment Code. Amazon Q and Cursor have issued patches. Others have implemented mitigations or have fixes pending.How does the symlink attack work in AI coding agents?
An attacker places a malicious symlink inside a repository — e.g.,config.txt → ../../.ssh/authorized_keys. When the AI agent processes the repo, it follows the symlink but shows the "safe" path in its approval dialog. The human approves what looks benign, but the agent writes to the attacker-controlled target outside the workspace.
What should developers do right now to protect themselves?
Update Cursor to v0.48+ and Amazon Q Developer to v2.20+ immediately. For all other tools: enable symlink-following protection in workspace settings, never open untrusted repos in agent write mode without sandboxing, and runfind . -type l to audit symlinks before granting AI write access.