What happened
Wiz researchers disclosed (Wiz blog, reported 2026-07-08 by SC Media/GBHackers/TheHackerNews/Cyber Security News) a systemic symlink-following trust-boundary flaw affecting six of the most widely used AI coding assistants, allowing a malicious repository to trick the agent into reading or writing files outside its intended workspace, up to and including planting SSH keys for persistent remote access.
Why it matters
This is a novel, cross-vendor agent-execution attack class with a working PoC (SSH key implantation demonstrated) affecting the trust model underpinning 'Human-in-the-Loop' safety for six major AI coding agents used by millions of developers. Vendor response is split — some patched, some (Augment, Windsurf) remain unfixed or dispute the finding — leaving a live, broad blast radius across developer machines that clone and analyze untrusted repositories with AI assistants.
Attack vector
A malicious repository contains a symlink disguised as an innocuous file (e.g., project_settings.json pointing to ~/.ssh/authorized_keys). When a developer asks their AI coding assistant to 'set up the workspace,' the agent follows the symlink and writes attacker-controlled content (e.g., an SSH public key) to the real target file outside the project sandbox. The confirmation/approval UI shown to the user displays only the harmless decoy filename, not the resolved sensitive path, making Human-in-the-Loop approval a rubber stamp — CWE-61 (symlink following) combined with CWE-451 (UI misrepresentation).
Affected systems
Amazon Q Developer (Language Servers for AWS < 1.69.0), Cursor (< 3.0), Google Antigravity, Anthropic Claude Code, Augment Code, Windsurf
Mitigation
AWS patched via Language Servers for AWS 1.69.0 (CVE-2026-12958, CVSS 7.8); Cursor patched in v3.0 (CVE-2026-50549, CVSS 9.8, GHSA-3v8f-48vw-3mjx); Google fixed Antigravity in May 2026 (CVE pending); Anthropic added symlink warnings to Claude Code v2.1.32. Augment Code disputes it is a vulnerability and has not patched; Windsurf's fix remains pending. Recommended mitigations: resolve canonical paths before displaying confirmation prompts, warn when actions target locations outside the workspace, and monitor for symlink creation/sensitive file modification.