# GhostApproval: AI Coding Agents’ Approval Dialogs Lie

> Source: <https://byteiota.com/ghostapproval-ai-coding-agents-approval-dialogs-lie/>
> Published: 2026-07-13 13:16:22+00:00

On July 8, 2026, Wiz Security published [GhostApproval](https://www.wiz.io/blog/ghostapproval-a-trust-boundary-gap-in-ai-coding-assistants) — a vulnerability in six major AI coding assistants including Claude Code, Cursor, Amazon Q Developer, Windsurf, Augment, and Google Antigravity. Symlinks inside malicious repositories trick these agents into writing to SSH keys or shell startup files outside the workspace, while the approval dialog shows only the harmless symlink name. You click Accept on “project_settings.json.” Your `~/.ssh/authorized_keys`

file gets a new entry. You have no idea.

Three of the six vendors have shipped patches. Two acknowledged the issue without a timeline. Anthropic called it “outside our threat model.” All six tools are in daily use by millions of developers right now.

## The Symlink That Rewrites Your SSH Keys

A symbolic link is a filesystem pointer — a file that silently redirects reads and writes to another location. GhostApproval’s attack is built on this decades-old Unix primitive. An attacker plants a symlink named `project_settings.json`

inside a repository, pointing it at `~/.ssh/authorized_keys`

. The developer clones the repo, opens it in their AI coding assistant, and asks the agent to “set up the workspace.” The agent follows the README and writes the attacker’s SSH public key to the target file.

The approval dialog shows: *Edit project_settings.json*. The developer clicks Accept. The attacker now has permanent SSH access to the machine. A second variant targets `~/.zshrc`

or `~/.bashrc`

— injecting shell commands that execute every time the terminal opens. The attack is silent. No error. No anomaly. No indication anything went wrong.

## The Agent Knew. The Dialog Didn’t.

The most damaging finding from Wiz’s research is not that these tools follow symlinks — it’s that at least one already knows the real destination and doesn’t tell you. In testing Claude Code, Wiz found the agent had identified the actual symlink target in its own internal reasoning, noting that `project_settings.json`

was “actually a zsh configuration file.” That information never appeared in the approval dialog the developer saw.

Wiz stated it directly: “The Human-in-the-Loop security model only works if the loop provides accurate information. When an agent shows one thing and does another, user approval becomes meaningless.” This is the distinction between a detection failure and an information gap. Claude Code detected the symlink. It simply didn’t surface that detection where it mattered — to the developer, at the moment of decision.

Related:[GuardFall: Shell Injection Hits 10 of 11 AI Coding Agents]— a separate attack class from the same week, also affecting AI coding tool trust boundaries

## Windsurf Writes First, Asks Later

Most affected tools present a misleading filename in the approval dialog. Windsurf goes further: it writes file modifications to disk before displaying the Accept/Reject prompt. The dialog is an undo button, not an authorization gate. By the time a developer sees the confirmation, the SSH key is already written. Windsurf has acknowledged the issue but has not provided a fix or a timeline, which makes it the highest-risk tool for developers working with unfamiliar repositories today.

## Three Fixed, One Disputed, Two Waiting

Amazon Q Developer patched the vulnerability as [CVE-2026-12958 (High severity)](https://thehackernews.com/2026/07/ghostapproval-symlink-flaws-could-let.html), fixed in Language Server 1.69.0. Cursor issued CVE-2026-50549 (Critical) and patched it in v3.0. Google Antigravity engaged cooperatively and shipped a fix. Augment acknowledged the issue without a timeline. If you use Amazon Q, Cursor, or Google Antigravity, update now — patches exist and the CVEs are public.

Anthropic disputed GhostApproval’s classification, arguing that when a developer trusts a folder and then approves an edit, that decision is theirs. Anthropic also noted that [Claude Code added a symlink warning in February 2026](https://www.securityweek.com/ai-coding-tools-tricked-into-hacking-developer-machine-via-decades-old-technique/), before Wiz’s private disclosure. However, a warning banner at session start is not the same as showing the actual write target in the approval dialog at the moment of action. Three of the five other vendors rejected that reasoning — with patches, not statements.

Informed consent requires accurate information at the point of decision. When an approval dialog shows “project_settings.json” but writes to your SSH keys, that consent is hollow. This is the argument Anthropic hasn’t answered, and the one the rest of the industry decided was worth fixing.

## Key Takeaways

- GhostApproval exploits symlinks to redirect AI agent file writes to SSH keys and shell startup files — while showing developers a harmless filename in the approval dialog
- Cursor users: upgrade to v3.0 (CVE-2026-50549, Critical). Amazon Q Developer users: upgrade Language Server to 1.69.0 (CVE-2026-12958, High)
- Windsurf writes to disk before showing the approval dialog — avoid using it with untrusted repositories until a fix ships
- After any agent session with an unfamiliar repository, check timestamps:
`ls -la ~/.zshrc ~/.ssh/authorized_keys`

- Anthropic’s “outside our threat model” response is the minority position — three other vendors patched the same vulnerability
