GhostApproval is the name Wiz gave to a flaw it found in at least six popular AI coding assistants, disclosed in July 2026. The short version: a booby-trapped repository can trick your coding agent into writing files outside your project - and in the worst cases, before you ever click "approve". It is a good reminder that letting an agent touch your filesystem is only as safe as what the approval prompt actually shows you. Here is what GhostApproval is, which tools were affected, and how to stay safe.
How GhostApproval works
The trick combines two old weaknesses: following symbolic links (CWE-61) and a misleading interface (CWE-451). A malicious repo contains a symlink - a file that is really a pointer to another path. Its name looks innocent, say project_settings.json, but it points to something sensitive like ~/.ssh/authorized_keys. You ask the agent to edit "the settings file"; it follows the link and writes to the real target - for instance adding an attacker's SSH key. Crucially, the confirmation dialog shows the harmless symlink name, not the resolved destination. As Wiz put it, "the agent knew, the user didn't": the model's own reasoning sometimes recognised the dangerous path while the prompt hid it.
The dangerous variant: writes before you approve
In some tools the write happens before the Accept/Reject prompt even appears, turning the confirmation into an undo button rather than a gate. Wiz describes exactly this in Windsurf: an attacker's SSH key was written to ~/.ssh/authorized_keys before the user could approve. That is a pre-authorization remote code execution - the human-in-the-loop check happens after the damage is already done.

Which tools were affected, and their status
Wiz tested six assistants and reported a variant in each. Here is the disclosed status, reported neutrally:
- Cursor - fixed (CVE-2026-50549, version 3.0+).
- Amazon Q Developer - fixed (CVE-2026-12958, language server 1.69.0).
- Google Antigravity - fixed (deployed May 2026).
- Augment - acknowledged; no fix shipped at disclosure.
- Windsurf - acknowledged; the pre-authorization variant, no fix shipped at disclosure.
- Anthropic Claude Code - Anthropic considers the issue outside its threat model, on the basis that a user confirms they trust a directory when they first start Claude Code there; separately, Claude Code added proactive symlink warnings in an earlier version.
Why it matters beyond one bug
GhostApproval is not really one vendor's mistake - it is a pattern. Two design choices cause it: shallow sandboxing that does not resolve a file's canonical path before acting, and human-in-the-loop approvals that are formal rather than informed, because you approve a name instead of the real action. Any agent with broad filesystem access can fall into this trap. It is the same class of risk we covered in our guide to AI agent security: autonomy plus access means a bad instruction becomes a real action.
How to protect yourself
- Update your tools now. Several vendors have patched it; run the latest version of your coding assistant.
- Only trust repositories you trust. Be cautious letting an agent act inside unknown or freshly cloned repos.
- Use least privilege. Run agents in a container or sandbox that cannot reach
~/.ssh, cloud credentials or other secrets. - Read the prompts. Be wary of edits to configuration files and dotfiles, and prefer tools that resolve symlinks and show the real target path.
The bottom line
GhostApproval shows that "human-in-the-loop" is only as strong as what the prompt actually reveals. A symlink can point a well-meaning agent at your secrets, and a confirmation dialog that hides the real path - or appears after the write - gives false comfort. Update your AI coding assistant, restrict what it can touch, and treat approvals as meaningful only when they show you the true destination.



