Press play to start listening
A malicious code repository can abuse symbolic links to push several popular AI coding assistants beyond their approved workspace, according to new research from Wiz. The vulnerability pattern, named GhostApproval, affected tools from Amazon, Anthropic, Augment, Cursor, Google, Windsurf, and Cognition, with outcomes including misleading approval prompts to file changes made before users could respond.
Wiz researchers found that by using symbolic links, commonly known as symlinks, attackers could disguise repositories’ sensitive system files as ordinary project files. When an AI assistant followed the link, an edit presented as a change to a local configuration file could reach files such as ~/.ssh/authorized_keys or ~/.zshrc outside the project directory.
In one proof of concept, a repository included a file named project_settings.json that pointed to the developer’s SSH authorization file. Instructions in the repository asked the coding assistant to add configuration data, but the supplied content was an attacker-controlled SSH public key. A successful write could give the attacker persistent password-free access to the machine.
According to Wiz research shared with Hackread.com, the approval step was meant to give the person using the coding assistant a final chance to review file changes. Still, researchers found that the prompts did not always show enough information.
During testing of Anthropic’s Claude Code, internal reasoning recognized that a project file pointed to a sensitive location, while the visible prompt referred only to the local filename. A user could approve an edit without seeing where the data would actually be written.
That mismatch adds a user-interface problem to the underlying symlink weakness. Wiz classified the file-handling flaw under CWE-61 and linked the misleading approval behavior to CWE-451, which covers the misrepresentation of important information in a user interface.
Some products exhibited more severe failures because file changes occurred before approval. Tests involving Amazon Q Developer (Coding Assistant) and Windsurf found that content could be written to disk before users clicked an approval button. In those cases, controls presented as confirmation worked more like a way to reverse a change that had already happened.
Patches Arriving
Amazon
Amazon fixed the issue in AWS Language Server version 1.69.0 and assigned CVE-2026-12958. AWS said the language server normally updates automatically, while users on networks that block automatic updates may need to install the latest Amazon Q Developer plugin and reload their development environment.
Cursor
Cursor addressed its vulnerability in version 3.0 under CVE-2026-50549. Its interface displayed the project-side symlink name in the proposed diff, but accepting the change caused the backend to write to the resolved destination outside the workspace.
Google also corrected the flaw in Antigravity after researchers demonstrated an SSH-key write through a disguised project file. The affected version was listed as 1.19.6, and the CVE assignment remained pending at the time of disclosure.
Augment
Augment allowed both reads and writes through symbolic links without a confirmation prompt during Wiz testing. Researchers used the read behavior to access a credential file outside the project and demonstrated writes to SSH and shell configuration files. Augment acknowledged the reports and said it would provide an update, but no fix information had been published when the research was released.
Windsurf
Windsurf showed similar pre-approval behavior during tests on version 1.9566. The assistant wrote an attacker-controlled SSH key before Accept and Reject controls appeared, meaning the requested action had already reached the filesystem when the developer was asked to review it. Cognition acknowledged receiving the report in June but had not published a remediation update by disclosure.
Anthropic
Anthropic initially closed the report as outside the Claude Code threat model, arguing that users had already chosen to trust the repository and later approved the requested operation. Current Claude Code releases resolve symbolic links and warn before writes to sensitive locations.
Anthropic later said the warning had shipped in version 2.1.32 on February 5, nine days before the Wiz report was submitted, following an internal security review.
Wiz recommends resolving symbolic links before generating permission prompts and displaying the final canonical path whenever an operation leaves the workspace.
Coding assistants should also block file changes until explicit approval has been received, keeping confirmation controls as authorization gates and not post-write recovery options.
