Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

75% CISOs Fear Executives Don’t Understand Cybersecurity Risks

July 9, 2026

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

July 9, 2026

GhostApproval Flaw Hits Six Major AI Coding Assistants

July 9, 2026
Facebook X (Twitter) Instagram
Thursday, July 9
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»Cyber Security»GhostApproval Flaw Hits Six Major AI Coding Assistants
Cyber Security

GhostApproval Flaw Hits Six Major AI Coding Assistants

Team-CWDBy Team-CWDJuly 9, 2026No Comments2 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Six major AI coding assistants have been found to share a flaw that turns their approval prompts into a rubber stamp, letting a malicious repository write to sensitive files on a developer’s machine and, in the worst case, achieve remote code execution.

Wiz Research named the flaw GhostApproval and found it in Amazon Q Developer, Anthropic’s Claude Code, Augment, Cursor, Google Antigravity and Windsurf.

The technique relies on symbolic links, or symlinks, which make one file path secretly resolve to another.

One Trusted Approval, One Hidden Target

In a proof of concept (PoC) published on July 7, Wiz showed how a symlink inside a repository, disguised as an innocent file such as project_settings.json could actually point at the developer’s SSH keys.

When the developer asked the assistant to “set up the workspace” or follow the README, the agent followed the link and wrote an attacker-supplied key into the real target, handing over passwordless remote access.

Wiz said the design effectively bypasses informed consent: in several tools, the agent resolved the file to a sensitive location, yet the approval dialog showed only the harmless filename, so a developer approved an edit they could not actually see.

Read more on hijacking AI coding agents: New “Agentjacking” Attacks Could Hijack AI Coding Agents

Fixed, Silent or Disputed

In early 2026, Wiz said it reported GhostApproval to all six vendors. 

Amazon, Google and Cursor treated it as a vulnerability and shipped fixes. Cursor issued CVE-2026-50549 to the the flaw.

Augment and Windsurf acknowledged the reports but, as of publication, had gone quiet without a fix, leaving their users potentially exposed.

Anthropic disputed that Claude Code’s behavior was a vulnerability. It argued that a user who trusts a directory and approves an edit owns that decision, putting the scenario “outside our threat model.”

Wiz framed GhostApproval less as isolated bugs than as a design question the industry has yet to settle: whether an AI coding tool should shield users from a deceptive workspace, or leave that to their judgment.

Its advice to vendors was to resolve symlinks before asking for approval and to flag any write that lands outside the project. 

Developers using Augment or Windsurf, meanwhile, should watch for updates.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleVibe-Coded Malware Caught in Active Directory Attack
Next Article PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords
Team-CWD
  • Website

Related Posts

Cyber Security

How Faster Cyber-Attacks Are Reshaping Cybersecurity Strategy

July 8, 2026
Cyber Security

Hackers Exploit Maximum Severity Adobe ColdFusion Flaw

July 7, 2026
Cyber Security

Indirect Prompt Injection in Web Content Targets AI Agents

July 6, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Find your weak spots before attackers do

November 21, 2025

A quick guide to recovering a hacked account

March 21, 2026

How the always-on generation can level up their cybersecurity game

September 11, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.