GhostApproval Vulnerability Exposes AI Coding Agents to Classic Symlink Attacks
A critical vulnerability dubbed 'GhostApproval' allows AI coding assistants to bypass sandboxes using symbolic links, potentially leading to remote code execution and SSH key injection.

A significant security flaw, identified as "GhostApproval," has been discovered in at least six popular AI coding assistants, enabling them to access files outside their designated sandboxes. This vulnerability exploits a classic security technique involving symbolic links (symlinks) to potentially achieve remote code execution on a developer's machine. The discovery was made by Wiz, a security firm owned by Google, which reported the issue to affected vendors including Amazon, Anthropic, Augment, Cursor, Google, and Windsurf.
The GhostApproval vulnerability leverages the age-old practice of using symlinks, which act as shortcuts to other files or directories. Attackers can create a malicious repository containing a symlink that appears to point to a harmless configuration file but actually directs the AI agent to a sensitive system file, such as the ~/.ssh/authorized_keys file. When a developer clones this repository and instructs the AI agent to set up the workspace or follow instructions, the agent may inadvertently write malicious content, like an attacker's SSH public key, to the sensitive file, granting the attacker persistent, password-less access.
Wiz researchers highlighted that many of these AI coding tools employ sandboxes or confirmation dialogs to protect users. However, in the case of GhostApproval, the user interface often masks the true, malicious target of the symlink. This deception renders the human-in-the-loop safety mechanism ineffective, as users approve what they believe to be a benign local file edit, while the agent is actually writing to a critical file outside the project's scope.
Several vendors have responded to the vulnerability. Amazon, Cursor, and Google have acknowledged the severity, classifying it as critical or high-severity, and have already released patches or are in the process of issuing CVE identifiers. Amazon, for instance, has assigned CVE-2026-12958 to the flaw in its Q Developer tool. Augment and Windsurf have acknowledged the report but have not yet provided patches or user warnings.
Anthropic's response to the vulnerability has been particularly noteworthy. The company stated that the issue falls "outside our threat model," arguing that users must trust the directory before starting a session. They consider a user explicitly confirming a permission prompt within a malicious directory to be the user's responsibility, not the AI's. While Anthropic noted that current versions of Claude (2.1.173+) do resolve symlinks and warn users, they did not confirm if this change was a direct result of Wiz's report, labeling the initial report as "informative."
This incident underscores a broader "trust-boundary debate" in AI security. While some vendors argue that users are ultimately responsible for the environments they approve, Wiz contends that AI tools should protect users from deceptive workspaces. The fact that Google, AWS, and Cursor treated this as a genuine vulnerability and implemented fixes suggests a consensus among some major players that AI agents should not be tricked into performing actions that violate user trust, even if formal consent is obtained through a deceptive interface.
While there is currently no evidence of active exploitation in the wild, the widespread nature of the vulnerability across popular AI coding assistants poses a significant risk to enterprises that are rapidly adopting these tools. The potential for attackers to inject SSH keys or execute arbitrary code means that developers' machines, and by extension their organizations' codebases and cloud environments, could be compromised.