New GhostApproval Vulnerability Affects Amazon Q, Claude Code, Cursor, and Other AI Agents

New GhostApproval Vulnerability Affects Amazon Q, Claude Code, Cursor, and Other AI Agents










A newly disclosed vulnerability pattern dubbed “GhostApproval” has exposed a critical security flaw in six of the most widely used AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf, allowing malicious repositories to bypass Human-in-the-Loop safety controls and potentially achieve remote code execution on developer machines.

Discovered by Wiz researchers, GhostApproval exploits a deceptively simple but deeply impactful technique: symbolic link following (CWE-61).

A symlink is a filesystem pointer that makes one path silently resolve to another. While this primitive has been exploited for decades in Docker escapes (CVE-2024-21626), npm package managers (CVE-2021-32803), and Linux privilege escalation, its application to AI coding agents represents a novel and systematic attack surface.

The attack is elegantly simple. An attacker creates a malicious repository containing a symlink, for example, project_settings.json~/.ssh/authorized_keys.

GhostApproval Attack (Source: Wiz)

When a victim clones the repo and asks their AI coding assistant to “set up the workspace,” the agent follows the symlink and writes the attacker’s SSH public key directly to the victim’s authorized_keys file. The result: persistent, password-less SSH access to the developer’s machine.

What elevates GhostApproval beyond a straightforward symlink exploit is the UI misrepresentation layer (CWE-451). The most striking example was observed in Anthropic’s Claude Code.

GhostApproval Anthropic’s Claude Code (Source: WIZ)

During testing, the agent’s internal reasoning explicitly stated: “I can see that project_settings.json is actually a zsh configuration file.” Yet the confirmation prompt displayed to the user simply asked: “Make this edit to project_settings.json?”

The agent knew the true target. The user did not. This transforms a sandbox bypass into an informed consent bypass; the Human-in-the-Loop safety net becomes a rubber stamp.

Vendor Severity CVE Fixed Version Status
Amazon Web Services High CVE-2026-12958 Language server v1.69.0 Fixed
Google (Antigravity) Critical Pending v1.19.6 Fixed
Cursor Critical CVE-2026-50549 v3.0 Fixed
Augment Critical v0.754.3 In Progress
Windsurf Critical v1.9566 (tested) In Progress
Anthropic (Claude Code) Disputed v2.1.42 Rejected / Patched

Three vendors patched the vulnerability promptly: AWS, Cursor, and Google. AWS fixed the issue in language server version 1.69.0 (deployed May 27, 2026) and assigned CVE-2026-12958.

The update ships automatically, and customers can trigger it by reloading their IDE. Cursor released its fix in v3.0 (June 5, 2026) under CVE-2026-50549. Google deployed its fix on May 22, 2026, and is assessing whether to issue a CVE.

Augment and Windsurf acknowledged the reports but provided no further updates at the time of Wiz publication. Windsurf’s pre-authorization variant was particularly dangerous: the agent writes to disk before the Accept/Reject dialog appears, meaning the confirmation dialog functions as an undo button rather than an authorization gate.

Anthropic initially rejected the report as “outside our threat model,” arguing that user-trusted directories and user-approved prompts place responsibility on the user. However, versions 2.1.173+ now resolve symlinks and warn users before writing to sensitive files.

Anthropic later clarified with Wiz that this symlink warning shipped in v2.1.32 on February 5, 2026 — nine days before the report was submitted as part of proactive internal security hardening.

Wiz researchers outlined three core mitigations for AI coding tool vendors:

  • Resolve symlinks before displaying prompts — always show the canonical target path, not the symlink name
  • Warn explicitly when the resolved path exits the workspace — a write to ~/.ssh/authorized_keys must look categorically different from a write to ./config.json
  • Never write to disk before explicit user authorization — confirmation dialogs must be gates, not undo mechanisms

Initial discovery occurred on February 10, 2026, with vendor reports submitted between February 12 and March 5, 2026. Public disclosure was made on July 8, 2026, following the 90+ day coordinated disclosure window.

GhostApproval is not a collection of individual bugs; it is a category-level design gap across AI coding tools. As agents gain greater autonomy over developer filesystems, the integrity of Human-in-the-Loop controls must be treated as a first-class security requirement, not an afterthought.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor ChecklistDownload Free AI SOC SLA Guide

The post New GhostApproval Vulnerability Affects Amazon Q, Claude Code, Cursor, and Other AI Agents appeared first on Cyber Security News.






Guru Baran





Go to cyber-security-news





by