Vulnerability  ·  2026-07-10

GhostApproval: Symlink-Based Trust-Boundary Bypass Across Six Major AI Coding Assistants

VulnerabilityHigh impactGlobalCVE-2026-50549
Wiz researchers disclosed (Wiz blog, reported 2026-07-08 by SC Media/GBHackers/TheHackerNews/Cyber Security News) a systemic symlink-following trust-boundary flaw affecting six of the most widely used AI coding assistants, allowing a malicious repository to trick the agent into reading or writing files outside its intended workspace, up to and including planting SSH keys for persistent remote access.
This is a novel, cross-vendor agent-execution attack class with a working PoC (SSH key implantation demonstrated) affecting the trust model underpinning 'Human-in-the-Loop' safety for six major AI coding agents used by millions of developers. Vendor response is split — some patched, some (Augment, Windsurf) remain unfixed or dispute the finding — leaving a live, broad blast radius across developer machines that clone and analyze untrusted repositories with AI assistants.
A malicious repository contains a symlink disguised as an innocuous file (e.g., project_settings.json pointing to ~/.ssh/authorized_keys). When a developer asks their AI coding assistant to 'set up the workspace,' the agent follows the symlink and writes attacker-controlled content (e.g., an SSH public key) to the real target file outside the project sandbox. The confirmation/approval UI shown to the user displays only the harmless decoy filename, not the resolved sensitive path, making Human-in-the-Loop approval a rubber stamp — CWE-61 (symlink following) combined with CWE-451 (UI misrepresentation).
Amazon Q Developer (Language Servers for AWS < 1.69.0), Cursor (< 3.0), Google Antigravity, Anthropic Claude Code, Augment Code, Windsurf
AWS patched via Language Servers for AWS 1.69.0 (CVE-2026-12958, CVSS 7.8); Cursor patched in v3.0 (CVE-2026-50549, CVSS 9.8, GHSA-3v8f-48vw-3mjx); Google fixed Antigravity in May 2026 (CVE pending); Anthropic added symlink warnings to Claude Code v2.1.32. Augment Code disputes it is a vulnerability and has not patched; Windsurf's fix remains pending. Recommended mitigations: resolve canonical paths before displaying confirmation prompts, warn when actions target locations outside the workspace, and monitor for symlink creation/sensitive file modification.
SC Media — GhostApproval technique leads AI coding tools to alter files outside of sandboxCybersecurity News — New GhostApproval Vulnerability Affects Amazon Q, Claude Code, Cursor, and Other AI Agents
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →