GhostApproval Exposes Old Symlink Tricks in AI Coding Agents

Wiz uncovered GhostApproval, a symlink flaw in six leading AI coding agents that tricks them into writing outside sandboxes. Amazon, Cursor and Google fixed it with CVEs. Others dismissed or delayed. The human confirmation often hides the true target. (48 words)
GhostApproval Exposes Old Symlink Tricks in AI Coding Agents
Written by Juan Vasquez

Developers have embraced AI coding agents with remarkable speed. Tools from Amazon, Anthropic, Google and startups promise to handle setup, debugging and code changes with minimal oversight. Yet a fresh security report reveals these agents share a dangerous blind spot with systems from decades ago.

Wiz researchers uncovered a pattern they call GhostApproval. It affects at least six popular assistants. The flaw lets malicious repositories trick agents into writing files outside their workspace. The result? Remote code execution on the developer’s machine. And the human confirmation step that should prevent such moves often fails to show the real target.

Wiz detailed the issue on July 8. Maor Dokhanian, threat researcher at the Google-owned firm, described the core failure. “AI coding tools are routinely granted deep access to enterprise codebases and cloud environments,” he told The Register. “In the race to ship autonomous features, trust-boundary gaps emerge between users, AI agents, and local filesystems. Classic security principles – like resolving symlinks before acting on paths – cannot be overlooked as we embrace new AI architectures.”

The technique relies on symbolic links. These shortcuts have plagued Unix systems for years. Attackers point a seemingly innocent file at a sensitive one. The AI agent follows the link. It writes data where it shouldn’t. In this case, a booby-trapped Git repository can add an attacker’s SSH key to a victim’s authorized_keys file. Access granted. No password needed.

Here’s how simple the proof-of-concept looks. Create a directory. Add a symlink from project_settings.json to ~/.ssh/authorized_keys. Drop instructions in the README. Ask the agent to set up the workspace. The agent reads the file name in the prompt. It writes to the real target. The user sees only the harmless name.

That mismatch sinks the safety net. Many agents display a confirmation dialog. Some even detect the symlink internally. Yet the prompt hides the resolved path. “The user approves what they believe is a harmless local edit; the agent writes to a sensitive file outside of the project workspace,” Dokhanian wrote in the Wiz analysis. “The failure is not just that the symlink is followed – it’s that the UI doesn’t reveal the true target.”

Anthropic’s Claude Code stood out. Its internal reasoning once noted, “I can see that project_settings.json is actually a zsh configuration file.” The user prompt? “Make this edit to project_settings.json?” Anthropic initially dismissed the report. “This falls outside our current threat model,” the company said. “When the user first starts Claude Code in a directory, they must confirm that they trust the directory prior to starting the session.” The firm closed the ticket as informative.

Later versions of Claude Code began resolving symlinks and issuing warnings. Anthropic did not attribute the change to Wiz. The company did not respond to follow-up questions from The Register.

Other vendors responded more directly. Amazon classified the issue as high severity in Q Developer. It issued CVE-2026-12958 and fixed the flaw in version 1.69.0 of its language server. The update rolls out automatically in most cases. Cursor treated it as critical too. The company shipped a fix in version 3.0 and assigned CVE-2026-50549.

Google fixed the bug in its Antigravity tool on May 22. CVE assignment remains under review. Augment and Windsurf acknowledged the report and rated it critical. Neither had deployed patches by the time of publication. An Augment spokesperson stressed shared responsibility. “A coding agent needs to be able to edit and run code to be useful; and when it does that, it operates under your credentials,” the company said. “If you ask it to work on code, it will follow your instructions.”

This debate over trust boundaries runs through the entire incident. Users grant directory access. Agents act on instructions inside that space. When a workspace contains deceptive elements, who bears the fault? Dokhanian frames it sharply. “The consent is formally present but substantively empty.” He calls it a design philosophy question. Should tools shield users from malicious workspaces? Or does spotting danger fall solely on the developer?

Three vendors chose the first path and patched. Two others leaned on user vigilance. Anthropic placed the burden on initial directory trust. The pattern echoes how large AI providers have handled model flaws before. They often cite threat models that exclude tricked users.

But the stakes rise with agentic tools. These systems don’t just suggest code. They read files, run commands, edit projects and interact with cloud credentials. Enterprises deploy them inside sensitive repositories. One compromised developer workstation can expose far more.

Recent incidents add weight to the warning. On the same day as the Wiz disclosure, The Hacker News reported that agents from Claude Code, Cursor and OpenAI Codex trigger endpoint protection rules designed for human attackers. Sophos examined telemetry from a single week in June. The tools performed actions like decrypting browser credentials with DPAPI, enumerating credential stores and dropping scripts to startup folders. Credential access made up 56 percent of the blocked events. Execution accounted for another 29 percent.

Security teams now face noise from legitimate agent behavior. Traditional malware signals lose clarity when benign automation mimics threats. Sophos advised splitting detection rules by parent process, workspace reputation and other context. It also flagged risky flags such as Anthropic’s –dangerously-skip-permissions option.

The GhostApproval findings arrive amid a steady stream of agent-related issues. Earlier research exposed prompt injection via fake bug reports, configuration-based remote code execution in Claude Code and privilege escalation through writable folders. Each case shows how quickly autonomy collides with established security assumptions.

Dokhanian sees larger lessons. “GhostApproval reflects several key realities of the AI era. For one, human-in-the-loop isn’t always the safety net it appears to be. When the confirmation prompt hides critical information, developers can’t make informed decisions – the approval becomes a rubber stamp.”

His recommendations stay practical. Resolve symlinks before any prompt appears. Warn explicitly when a path points outside the workspace. Never write files before receiving clear user authorization. Vendors that followed this approach closed the gap quickly.

Yet the incident also highlights architecture trade-offs. Agents lose usefulness if they cannot edit and run code under user credentials. Complete isolation defeats the purpose. The answer lies in better visibility, not blanket restrictions. Developers must inspect repositories before letting agents loose. Tools must surface accurate information when consent is requested.

Enterprises racing to adopt these assistants would do well to pause. Review permissions. Limit workspace scope. Monitor for unusual file operations. And treat every new repository with the caution once reserved for unsigned binaries. The symlink problem never died. It simply found new hosts.

As more organizations hand over development tasks to autonomous agents, questions of trust will multiply. The GhostApproval episode shows that old Unix headaches persist in modern wrappers. Vendors have begun to respond. Whether the fixes stick across the fast-moving field remains to be seen. One thing is clear. Informed consent requires information. Without it, approval means little.

Subscribe for Updates

AISecurityPro Newsletter

A focused newsletter covering the security, risk, and governance challenges emerging from the rapid adoption of artificial intelligence.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us