Security researchers have identified a vulnerability, termed ‘GhostApproval,’ affecting several AI-powered coding assistants. This flaw enables malicious code repositories to execute unauthorized commands on developers’ systems by exploiting symbolic links (symlinks) and misleading approval prompts.
Understanding the GhostApproval Vulnerability
The GhostApproval attack leverages symlinks—a Unix feature that allows a file to point to another file elsewhere on the system. In this scenario, a malicious repository contains a symlink that appears as a benign file but actually targets a sensitive system file. When an AI coding assistant processes this repository, it may prompt the developer to approve modifications to the seemingly harmless file. However, due to the symlink, the assistant writes to the critical system file instead, potentially granting unauthorized access or executing arbitrary code.
Impacted AI Coding Assistants
The following AI coding assistants have been identified as vulnerable to the GhostApproval attack:
- Amazon Q Developer: Addressed the issue in Language Server version 1.69.0 (CVE-2026-12958). Users should ensure their software is updated to this version.
- Cursor: Released a fix in version 3.0 (CVE-2026-50549). Users are advised to update via the extension manager.
- Google Antigravity: Implemented a fix; users should update to the latest version.
- Augment: Acknowledged the vulnerability but has not yet released a fix. Users should avoid using the assistant with untrusted repositories.
- Windsurf: Acknowledged the issue without a current fix. Users are advised to refrain from using the assistant with untrusted repositories.
- Anthropic’s Claude Code: Disputes the classification of the issue as a vulnerability but has updated the assistant to warn users about symlinks. Users should update and heed these warnings before approving any changes.
Mechanism of the Attack
In a typical GhostApproval attack, a malicious repository includes a symlink named, for example, project_settings.json, which actually points to a sensitive file like the SSH authorized keys file (~/.ssh/authorized_keys). The repository’s README file instructs the AI assistant to append a line to project_settings.json. If the developer approves this action, the assistant writes the line—potentially an attacker’s SSH key—into the actual authorized keys file due to the symlink. This grants the attacker unauthorized SSH access to the developer’s system.
Another variant targets the shell startup file (~/.zshrc), allowing the attacker to execute arbitrary commands the next time the developer opens a terminal session.
Deceptive Approval Prompts
A critical aspect of the GhostApproval attack is the misleading nature of the approval prompts presented by the AI assistants. These prompts may display the name of the benign-looking symlink file, concealing the fact that the actual target is a sensitive system file. This misrepresentation leads developers to unknowingly approve actions that compromise their systems.
Recommendations for Developers
To mitigate the risks associated with the GhostApproval vulnerability, developers should:
- Update their AI coding assistants to the latest versions that address the issue.
- Exercise caution when using AI assistants with untrusted code repositories.
- Carefully review approval prompts and be wary of any actions involving symlinks or unexpected file modifications.
As AI coding assistants become more integrated into development workflows, ensuring their security is paramount. Developers must remain vigilant and adopt best practices to safeguard their systems against such vulnerabilities.