GhostApproval Vulnerability Exposes AI Coding Assistants to Remote Code Execution

A recently identified security flaw, termed “GhostApproval,” has been found to affect six prominent AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. This vulnerability enables malicious repositories to circumvent Human-in-the-Loop safety mechanisms, potentially leading to remote code execution on developers’ machines.

Researchers at Wiz uncovered that GhostApproval exploits symbolic link (symlink) following, a known security issue cataloged as CWE-61. Symlinks are filesystem pointers that can redirect one file path to another. While symlink vulnerabilities have been exploited in various contexts, their application to AI coding assistants introduces a new attack vector.

The attack method involves an attacker creating a malicious repository containing a symlink, such as linking `project_settings.json` to `~/.ssh/authorized_keys`. When a developer clones this repository and instructs their AI coding assistant to set up the workspace, the assistant follows the symlink and writes the attacker’s SSH public key into the developer’s `authorized_keys` file. This action grants the attacker persistent, password-less SSH access to the developer’s machine.

Compounding the issue is a user interface misrepresentation, identified as CWE-451. For instance, in Anthropic’s Claude Code, the assistant internally recognizes that `project_settings.json` is actually a zsh configuration file. However, the confirmation prompt presented to the user simply asks to edit `project_settings.json`, omitting the critical information about the file’s true nature. This discrepancy undermines the effectiveness of Human-in-the-Loop safety measures.

Responses from vendors have varied:

  • Amazon Web Services (AWS): Addressed the issue in language server version 1.69.0, released on May 27, 2026, and assigned it CVE-2026-12958. The update is automatically deployed, and users can trigger it by reloading their Integrated Development Environment (IDE).
  • Cursor: Released a fix in version 3.0 on June 5, 2026, under CVE-2026-50549.
  • Google: Deployed a fix on May 22, 2026, and is evaluating the issuance of a CVE.
  • Augment and Windsurf: Acknowledged the reports but have not provided further updates. Notably, Windsurf’s variant of the vulnerability is particularly concerning, as the assistant writes to disk before displaying an Accept/Reject dialog, effectively rendering the confirmation prompt as an undo button rather than an authorization gate.
  • Anthropic: Initially rejected the report as “outside our threat model.”

The GhostApproval vulnerability underscores the importance of robust security measures in AI coding assistants. Developers are advised to update their tools promptly and remain vigilant when integrating AI agents into their workflows. This incident highlights the need for continuous evaluation and enhancement of security protocols to safeguard against evolving threats in software development environments.