All incidents

GhostApproval symlink flaw affects AI coding assistants

vulnerabilityopenJul 9, 2026 — Jul 9, 2026
GhostApproval symlink flaw affects AI coding assistants

GHOSTAPPROVAL, a trust‑boundary flaw identified by Wiz, puts several AI coding assistants at risk of being tricked into granting access to malicious repositories.

The issue was first observed on 9 July 2026 and remains unpatched in some tools, exposing developers to potential remote code execution.

The vulnerability works by creating symbolic links that point to sensitive files while the AI assistant shows an approval prompt that masks the true destination.

Because the prompt does not reveal the actual target, a developer may unwittingly authorise access to SSH keys, configuration files or source code directories.

Amazon Q Developer, Google’s Claude Code and Cursor have issued fixes that address the symlink handling, and those updates are now available through their usual channels.

Augment and Windsurf have not released patches, and Anthropic maintains that the behaviour is a user‑responsibility matter rather than a vulnerability.

Infosecurity Magazine reported that the flaw revives a classic symlink attack vector in the context of AI‑driven development pipelines.

SecurityWeek added that attackers could leverage GhostApproval to steal credentials or execute arbitrary code on a compromised workstation.

Defenders should always verify the full path displayed in any permission dialog before granting access, and they should disable automatic symlink following in their development environments where feasible.

Running the assistants inside restricted sandboxes, containers or virtual machines adds an extra layer of isolation that limits potential damage.

Applying the patches from Amazon, Google and Cursor is a priority, and organisations should keep an inventory of all AI coding tools in use.

Enforcing least‑privilege accounts, monitoring for unexpected file reads or writes, and educating teams about symlink risks will help mitigate the threat until every vendor supplies a fix.

Intelligence briefing updated Jul 9, 2026

Root sourcewww.wiz.io
Timeline Coverage

Swipe to explore timeline