GhostApproval: how a symlink can hijack your AI coding assistant

  • VersionDude
  • Tooling
  • 6 min read

In July 2026 Wiz disclosed GhostApproval, a flaw in six AI coding assistants. A malicious repository uses a symbolic link to redirect an approved file edit onto sensitive files like your SSH keys. What the attack is, which tools are affected, and how to stay safe.

On 8 July 2026 the cloud security firm Wiz disclosed a flaw it calls GhostApproval, affecting six popular AI coding assistants. The trick is simple and unsettling: the assistant asks your permission to edit one harmless-looking file, you approve it, and the write quietly lands on a different, sensitive file instead. The name captures it well - you approve a ghost, and something else happens.

This matters to any developer who uses an AI agent to read and edit code, because those agents act with your own file-system permissions. When an agent can write to disk, a booby-trapped repository can turn a single approved edit into remote code execution. Here is what GhostApproval is, exactly how it works, which tools were affected, and the discipline that keeps you safe.

What GhostApproval is

A brass padlock with its key inserted, resting on a pile of steel chain links. GhostApproval slipped an attacker's key into the file that decides who can unlock a developer's machine.
A brass padlock with its key inserted, resting on a pile of steel chain links. GhostApproval slipped an attacker's key into the file that decides who can unlock a developer's machine.

Wiz published the research on 8 July 2026 and named the pattern GhostApproval. According to its report, the affected assistants are Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. The underlying weakness is classified as CWE-61, symbolic-link following - a category of bug that predates AI tooling by decades.

The word ghost is the point. The assistant shows you an approval prompt naming one file, so you believe you are authorising a small, safe change. But the action that actually runs writes somewhere else entirely. You approved one thing; the tool did another. That gap between what you see and what happens is the whole vulnerability.

How the symlink attack works

The mechanism is an old Unix feature called a symbolic link, or symlink. A symlink is a file that simply points to another file somewhere else on disk. Read or write the symlink and the operating system quietly redirects you to its target. It is useful and completely normal - but only if the program handling it checks where the link actually goes.

  • GhostApproval abuses symlinks (CWE-61) in AI coding assistants
  • A malicious repo redirects an approved edit onto sensitive files like ~/.ssh/authorized_keys
  • Six tools affected; Amazon Q, Cursor and Google Antigravity shipped fixes with CVEs
  • Update your AI coding assistant to its latest patched version
  • Treat every cloned repository as untrusted code and read what you approve

Wiz built a malicious repository containing a symlink named something innocent like project_settings.json. That link did not hold settings at all: it pointed to the victim's ~/.ssh/authorized_keys, the file that lists which SSH keys are allowed to log in to the machine. The repository's own README then instructed the assistant to add a line to project_settings.json.

The agent followed the instruction and wrote the line. Because the file was a symlink, the line landed inside authorized_keys instead - and the line was the attacker's own SSH public key, dressed up as a harmless setting. According to Wiz, the result is SSH key injection, shell persistence, or other remote code execution, all reaching outside the workspace the agent was supposed to stay inside.

Which tools were affected, and fixed

Vendor responses varied, according to Wiz. Amazon Q was fixed in language server version 1.69.0 and assigned CVE-2026-12958; Cursor was fixed in version 3.0 under CVE-2026-50549; Google Antigravity shipped a fix with a CVE pending. Augment and Windsurf acknowledged the issue - Windsurf on 23 June 2026 - with fixes still in progress at publication.

Anthropic, per Wiz, considered the behaviour outside its threat model rather than a bug; Wiz also notes that Claude Code had already added symlink warnings in version 2.1.32, shipped on 5 February 2026, before the report. Whatever your tool, the practical move is the same: update it to the latest version, where the affected vendors have added symlink resolution and warnings.

How to protect yourself

Beyond patching, the defence is discipline. Treat every cloned repository as untrusted code, because a repo can carry symlinks that point far outside its own folder. Wiz's guidance to vendors is worth borrowing as a mental checklist: resolve symlinks before showing an approval prompt, warn clearly when the resolved path is outside the workspace, and never write to disk before explicit authorisation.

Beyond patching, the defence is discipline. Treat every cloned repository as untrusted code, because a repo can carry symlinks that point far outside its own folder. Wiz's guidance to vendors is worth borrowing as a mental checklist: resolve symlinks before showing an approval prompt, warn clearly when the resolved path is outside the workspace, and never write to disk before explicit authorisation.

- VersionDude

The honest takeaway

The deeper lesson outlasts this particular bug. An AI coding agent acts with your permissions, so approving its action means trusting the entire repository it is reading, not just the one line on screen. Scope your SSH keys, run code you do not fully trust in an isolated environment, and read what you approve - especially when the file it names looks reassuringly boring.

Related project