cd /news/ai-safety/ghostapproval-ai-coding-agents-appro… · home topics ai-safety article
[ARTICLE · art-57339] src=byteiota.com ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

GhostApproval: AI Coding Agents’ Approval Dialogs Lie

Wiz Security disclosed GhostApproval, a vulnerability in six AI coding assistants including Claude Code, Cursor, Amazon Q Developer, Windsurf, Augment, and Google Antigravity, where malicious symlinks trick agents into writing to SSH keys or shell startup files outside the workspace while the approval dialog shows only the harmless symlink name. Three vendors have shipped patches, two acknowledged the issue without a timeline, and Anthropic disputed the classification, calling it outside their threat model. The flaw undermines the human-in-the-loop security model by hiding the real file destination from developers.

read4 min views1 publishedJul 13, 2026
GhostApproval: AI Coding Agents’ Approval Dialogs Lie
Image: Byteiota (auto-discovered)

On July 8, 2026, Wiz Security published GhostApproval — a vulnerability in six major AI coding assistants including Claude Code, Cursor, Amazon Q Developer, Windsurf, Augment, and Google Antigravity. Symlinks inside malicious repositories trick these agents into writing to SSH keys or shell startup files outside the workspace, while the approval dialog shows only the harmless symlink name. You click Accept on “project_settings.json.” Your ~/.ssh/authorized_keys

file gets a new entry. You have no idea.

Three of the six vendors have shipped patches. Two acknowledged the issue without a timeline. Anthropic called it “outside our threat model.” All six tools are in daily use by millions of developers right now.

A symbolic link is a filesystem pointer — a file that silently redirects reads and writes to another location. GhostApproval’s attack is built on this decades-old Unix primitive. An attacker plants a symlink named project_settings.json

inside a repository, pointing it at ~/.ssh/authorized_keys

. The developer clones the repo, opens it in their AI coding assistant, and asks the agent to “set up the workspace.” The agent follows the README and writes the attacker’s SSH public key to the target file.

The approval dialog shows: Edit project_settings.json. The developer clicks Accept. The attacker now has permanent SSH access to the machine. A second variant targets ~/.zshrc

or ~/.bashrc

— injecting shell commands that execute every time the terminal opens. The attack is silent. No error. No anomaly. No indication anything went wrong.

The Agent Knew. The Dialog Didn’t. #

The most damaging finding from Wiz’s research is not that these tools follow symlinks — it’s that at least one already knows the real destination and doesn’t tell you. In testing Claude Code, Wiz found the agent had identified the actual symlink target in its own internal reasoning, noting that project_settings.json

was “actually a zsh configuration file.” That information never appeared in the approval dialog the developer saw.

Wiz stated it directly: “The Human-in-the-Loop security model only works if the loop provides accurate information. When an agent shows one thing and does another, user approval becomes meaningless.” This is the distinction between a detection failure and an information gap. Claude Code detected the symlink. It simply didn’t surface that detection where it mattered — to the developer, at the moment of decision.

Related:[GuardFall: Shell Injection Hits 10 of 11 AI Coding Agents]— a separate attack class from the same week, also affecting AI coding tool trust boundaries

Windsurf Writes First, Asks Later #

Most affected tools present a misleading filename in the approval dialog. Windsurf goes further: it writes file modifications to disk before displaying the Accept/Reject prompt. The dialog is an undo button, not an authorization gate. By the time a developer sees the confirmation, the SSH key is already written. Windsurf has acknowledged the issue but has not provided a fix or a timeline, which makes it the highest-risk tool for developers working with unfamiliar repositories today.

Three Fixed, One Disputed, Two Waiting #

Amazon Q Developer patched the vulnerability as CVE-2026-12958 (High severity), fixed in Language Server 1.69.0. Cursor issued CVE-2026-50549 (Critical) and patched it in v3.0. Google Antigravity engaged cooperatively and shipped a fix. Augment acknowledged the issue without a timeline. If you use Amazon Q, Cursor, or Google Antigravity, update now — patches exist and the CVEs are public.

Anthropic disputed GhostApproval’s classification, arguing that when a developer trusts a folder and then approves an edit, that decision is theirs. Anthropic also noted that Claude Code added a symlink warning in February 2026, before Wiz’s private disclosure. However, a warning banner at session start is not the same as showing the actual write target in the approval dialog at the moment of action. Three of the five other vendors rejected that reasoning — with patches, not statements.

Informed consent requires accurate information at the point of decision. When an approval dialog shows “project_settings.json” but writes to your SSH keys, that consent is hollow. This is the argument Anthropic hasn’t answered, and the one the rest of the industry decided was worth fixing.

Key Takeaways #

  • GhostApproval exploits symlinks to redirect AI agent file writes to SSH keys and shell startup files — while showing developers a harmless filename in the approval dialog

  • Cursor users: upgrade to v3.0 (CVE-2026-50549, Critical). Amazon Q Developer users: upgrade Language Server to 1.69.0 (CVE-2026-12958, High)

  • Windsurf writes to disk before showing the approval dialog — avoid using it with untrusted repositories until a fix ships

  • After any agent session with an unfamiliar repository, check timestamps: ls -la ~/.zshrc ~/.ssh/authorized_keys

  • Anthropic’s “outside our threat model” response is the minority position — three other vendors patched the same vulnerability

── more in #ai-safety 4 stories · sorted by recency
── more on @wiz security 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/ghostapproval-ai-cod…] indexed:0 read:4min 2026-07-13 ·