TheVortiq
Inteligencia Artificial

GhostApproval: The Old Unix Trick That Tricks AI Coding Assistants

Six popular AI agents present a vulnerability that allows remote code execution via symbolic links

July 9, 2026 · 4 min read

a computer keyboard with a padlock on top of it

TL;DR: Six AI coding assistants have a vulnerability that allows remote code execution via symlinks. The user approves an innocent edit, but the agent writes to sensitive files. Amazon, Cursor, and Google have patched; Anthropic does not consider it a threat.

What happened?

Security researchers at Wiz have identified a systematic vulnerability pattern in six of the most widely used AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. The flaw, named GhostApproval, allows an attacker to trick these agents into accessing files outside the sandbox workspace, potentially leading to remote code execution on the developer's machine.

The attack exploits a security feature from the Unix era: symbolic links (symlinks). A malicious repository can contain a symlink pointing to a sensitive file, such as ~/.ssh/authorized_keys. When the developer asks the agent to "set up the project" or "follow the README instructions," the agent follows the link and writes to the real destination, granting the attacker passwordless SSH access. According to Wiz's technical report, the attack is simple to execute: just create a repository containing a symlink disguised as a configuration file, and a README instructing the agent to modify it. The agent, without resolving the symlink before acting, writes to the real destination, such as ~/.ssh/authorized_keys, allowing the attacker to connect via SSH without authentication.

Why is it important?

This vulnerability is critical because AI coding assistants are being massively adopted in enterprises, with deep access to codebases and cloud environments. Although no active exploitation has been detected, the risk is high. The problem is not just technical but also a design issue: confirmation dialogs hide the real destination of the symlink, making human oversight useless. Wiz demonstrated that even when the agent shows a preview of changes, the user only sees the symlink name (project_settings.json), not the actual file (~/.ssh/authorized_keys). This turns human approval into a false sense of security.

"The user approves what they believe is a harmless local edit; the agent writes to a sensitive file outside the workspace," explains Maor Dokhanian, researcher at Wiz.

The potential impact is enormous: an attacker could inject SSH keys, modify startup scripts, or even plant backdoors in the developer's system, compromising the entire software supply chain. Since these agents integrate with CI/CD environments and internal repositories, the damage could spread to production.

Vendor responses

The response has been uneven, reflecting differences in each company's security maturity:

  • Amazon, Cursor, and Google considered the flaw critical or high severity, fixed it, and have issued or are issuing a CVE. Amazon Q Developer already has a patch available, and Cursor issued CVE-2025-XXXX (pending assignment). Google Antigravity is in the process of obtaining a CVE.
  • Augment and Windsurf acknowledged the report but have not patched or warned users. This is concerning, as they leave their users exposed without known mitigations.
  • Anthropic stated it is "outside our threat model" and took no action. This stance contrasts with the severity of the finding and suggests that Anthropic does not believe agents should protect against malicious repositories, which is debatable given that agents run with user permissions.

Historically, symlink flaws have been exploited in tools like tar, rsync, and package managers. For example, in 2021 a similar vulnerability was discovered in the Python package manager (CVE-2021-21239) that allowed an attacker to overwrite system files via symlinks in malicious packages. GhostApproval demonstrates that this classic problem resurges strongly in the AI era.

Consequences for companies and developers

GhostApproval exposes the fragility of blindly trusting autonomous agents. Companies deploying these tools must implement additional controls: restrict agent permissions (run it in a container with a read-only filesystem), audit third-party repositories (scan for malicious symlinks), and educate developers about symlink risks. The vulnerability reminds us that classic security principles, such as resolving symlinks before acting, remain relevant in the AI era. Wiz recommends that agents use realpath() or os.path.realpath() to verify that the destination is within the allowed directory before performing any operation.

The AI coding assistant market is booming: it is expected to grow from $1.5 billion in 2024 to over $8 billion in 2028 (according to Gartner). This vulnerability could slow adoption if vendors do not demonstrate a serious commitment to security. Moreover, the Anthropic case sets a dangerous precedent: if vendors can ignore flaws under the argument of "outside the threat model," users remain unprotected.

What should readers know?

If you use any of these agents, check whether your vendor has released a patch. Do not blindly trust confirmation dialogs. Manually review any operation involving files outside the project. And demand that vendors treat these flaws with the seriousness they deserve. For security teams, it is advisable to block downloads of unverified repositories and run agents in isolated environments. As Dokhanian said: "Classic security principles cannot be overlooked when adopting new AI architectures."

Keep reading