alexi.sh
All articlesBrowser securityNetwork privacyPrivacy toolingThreat modelingAI codingDev tooling

alexi.shAI Engineering Lab

ai-coding

GhostApproval: the AI Coding Assistant Flaw That Writes Files You Did Not Approve (2026)

PrivSec Lab3 min read
A code editor open on a laptop screen in a dark room

Wiz disclosed GhostApproval, a trust-boundary gap in at least six AI coding assistants: a malicious repo can trick the agent into writing outside your project via a symlink, sometimes before you approve. What it is, which tools were affected, and how to stay safe.

GhostApproval is the name Wiz gave to a flaw it found in at least six popular AI coding assistants, disclosed in July 2026. The short version: a booby-trapped repository can trick your coding agent into writing files outside your project - and in the worst cases, before you ever click "approve". It is a good reminder that letting an agent touch your filesystem is only as safe as what the approval prompt actually shows you. Here is what GhostApproval is, which tools were affected, and how to stay safe.

How GhostApproval works

The trick combines two old weaknesses: following symbolic links (CWE-61) and a misleading interface (CWE-451). A malicious repo contains a symlink - a file that is really a pointer to another path. Its name looks innocent, say project_settings.json, but it points to something sensitive like ~/.ssh/authorized_keys. You ask the agent to edit "the settings file"; it follows the link and writes to the real target - for instance adding an attacker's SSH key. Crucially, the confirmation dialog shows the harmless symlink name, not the resolved destination. As Wiz put it, "the agent knew, the user didn't": the model's own reasoning sometimes recognised the dangerous path while the prompt hid it.

The dangerous variant: writes before you approve

In some tools the write happens before the Accept/Reject prompt even appears, turning the confirmation into an undo button rather than a gate. Wiz describes exactly this in Windsurf: an attacker's SSH key was written to ~/.ssh/authorized_keys before the user could approve. That is a pre-authorization remote code execution - the human-in-the-loop check happens after the damage is already done.

A terminal listing files above a backlit keyboard - GhostApproval abuses a symlinked file to write outside the folder you think you are editing.

Which tools were affected, and their status

Wiz tested six assistants and reported a variant in each. Here is the disclosed status, reported neutrally:

  • Cursor - fixed (CVE-2026-50549, version 3.0+).
  • Amazon Q Developer - fixed (CVE-2026-12958, language server 1.69.0).
  • Google Antigravity - fixed (deployed May 2026).
  • Augment - acknowledged; no fix shipped at disclosure.
  • Windsurf - acknowledged; the pre-authorization variant, no fix shipped at disclosure.
  • Anthropic Claude Code - Anthropic considers the issue outside its threat model, on the basis that a user confirms they trust a directory when they first start Claude Code there; separately, Claude Code added proactive symlink warnings in an earlier version.

Why it matters beyond one bug

GhostApproval is not really one vendor's mistake - it is a pattern. Two design choices cause it: shallow sandboxing that does not resolve a file's canonical path before acting, and human-in-the-loop approvals that are formal rather than informed, because you approve a name instead of the real action. Any agent with broad filesystem access can fall into this trap. It is the same class of risk we covered in our guide to AI agent security: autonomy plus access means a bad instruction becomes a real action.

How to protect yourself

  • Update your tools now. Several vendors have patched it; run the latest version of your coding assistant.
  • Only trust repositories you trust. Be cautious letting an agent act inside unknown or freshly cloned repos.
  • Use least privilege. Run agents in a container or sandbox that cannot reach ~/.ssh, cloud credentials or other secrets.
  • Read the prompts. Be wary of edits to configuration files and dotfiles, and prefer tools that resolve symlinks and show the real target path.

The bottom line

GhostApproval shows that "human-in-the-loop" is only as strong as what the prompt actually reveals. A symlink can point a well-meaning agent at your secrets, and a confirmation dialog that hides the real path - or appears after the write - gives false comfort. Update your AI coding assistant, restrict what it can touch, and treat approvals as meaningful only when they show you the true destination.

Photo: Pexels (source)

Also available in

FAQ

What is GhostApproval?
GhostApproval is a security pattern that the security firm Wiz identified across at least six AI coding assistants, disclosed in July 2026. A malicious repository contains a symbolic link (symlink) whose name looks harmless but points to a sensitive file outside your project - for example a file named project_settings.json that actually points to ~/.ssh/authorized_keys. When you ask the agent to edit that file, it follows the symlink and writes to the real target, while the approval dialog shows only the harmless name. Wiz summarised it as: the agent knew, the user did not.
Is GhostApproval fixed?
Partly. Wiz reported it to six vendors. According to Wiz, Cursor (CVE-2026-50549, version 3.0+), Amazon Q Developer (CVE-2026-12958, language server 1.69.0) and Google Antigravity have shipped fixes. Augment and Windsurf acknowledged the report but, at disclosure, had not shipped a fix. Anthropic considers the issue outside its threat model, on the basis that the user confirms they trust a directory when starting Claude Code; separately, Claude Code added proactive symlink warnings in an earlier version. The practical takeaway is to update your tools to the latest version.
Which AI coding assistants were affected?
Wiz tested six and found a variant in each: Cursor, Amazon Q Developer, Google Antigravity, Augment, Windsurf and Anthropic Claude Code. Severity ranged from a fixable interface issue to a pre-authorization remote code execution, depending on the tool. Vendor responses differed, so the safest assumption is that any coding agent with broad filesystem access could be exposed to symlink-based path escapes unless it resolves and shows the real target path.
Can GhostApproval run code on my machine?
In the worst variants, effectively yes. By writing an attacker-controlled SSH key into ~/.ssh/authorized_keys, an attacker can gain remote access to the developer's machine, which is remote code execution in practice. Wiz described the most severe case (in Windsurf) as a pre-authorization RCE, because the file was written before the Accept or Reject buttons even appeared - so the confirmation acted as an undo, not a gate.
How do I protect myself from GhostApproval?
Update your AI coding assistant to the latest version, since several vendors have patched it. Only let an agent act inside repositories you trust, and be cautious opening unknown repos. Run agents with least privilege - ideally in a container or sandbox that cannot reach ~/.ssh, cloud credentials or other secrets. Read approval prompts carefully, especially edits to configuration or dotfiles, and prefer tools that resolve symlinks and display the real destination path.