{"id":14174,"date":"2026-07-09T10:03:39","date_gmt":"2026-07-09T10:03:39","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/09\/new-ghostapproval-vulnerability-affects-amazon-q-claude-code-cursor-and-other-ai-agents\/"},"modified":"2026-07-09T10:03:39","modified_gmt":"2026-07-09T10:03:39","slug":"new-ghostapproval-vulnerability-affects-amazon-q-claude-code-cursor-and-other-ai-agents","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/09\/new-ghostapproval-vulnerability-affects-amazon-q-claude-code-cursor-and-other-ai-agents\/","title":{"rendered":"New GhostApproval Vulnerability Affects Amazon Q, Claude Code, Cursor, and Other AI Agents"},"content":{"rendered":"<p>    New GhostApproval Vulnerability Affects Amazon Q, Claude Code, Cursor, and Other AI Agents<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A newly disclosed vulnerability pattern dubbed \u201cGhostApproval\u201d has exposed a critical security flaw in six of the most widely used AI coding assistants: Amazon Q Developer, <a href=\"https:\/\/cybersecuritynews.com\/anthropic-claude-hidden-code\/\" target=\"_blank\" rel=\"noreferrer noopener\">Anthropic Claude Code<\/a>, Augment, Cursor, Google Antigravity, and Windsurf, allowing malicious repositories to bypass Human-in-the-Loop safety controls and potentially achieve remote code execution on developer machines.<\/p>\n<p class=\"wp-block-paragraph\">Discovered by Wiz researchers, GhostApproval exploits a deceptively simple but deeply impactful technique: symbolic link following (<a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/61.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CWE-61<\/a>).<\/p>\n<p class=\"wp-block-paragraph\">A symlink is a filesystem pointer that makes one path silently resolve to another. While this primitive has been exploited for decades in Docker escapes (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-21626\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CVE-2024-21626<\/a>), npm package managers (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2021-32803\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CVE-2021-32803<\/a>), and Linux privilege escalation, its application to AI coding agents represents a novel and systematic attack surface.<\/p>\n<p class=\"wp-block-paragraph\">The attack is elegantly simple. An attacker creates a malicious repository containing a <a href=\"https:\/\/cybersecuritynews.com\/microsofts-symlink-patch-dos-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">symlink<\/a>, for example, <code>project_settings.json<\/code> \u2192 <code>~\/.ssh\/authorized_keys<\/code>.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgSQI8lJG0-YV_93WmTs3NVdjmMZczdtnJV2OYhdMvwl3tJu4fTUwTuPF3PDZGCzsZX3BnzUXkh3fhplnG-jheXzYcYwmNynKrAxRmMuHZ8g0yIaPZ62o1sutyvckaiYjw6xLhYYNN9JEzPJ2K84YumFUC7f3VsOIFSAj9ITlRTHXot_Hza5FF63tbyfg3-\/s1600\/GhostApproval%2520Vulnerability1.webp?ssl=1\" alt=\"\"><figcaption class=\"wp-element-caption\">GhostApproval Attack (Source: Wiz)<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">When a victim clones the repo and asks their AI coding assistant to \u201cset up the workspace,\u201d the agent follows the symlink and writes the attacker\u2019s SSH public key directly to the victim\u2019s <code>authorized_keys<\/code> file. The result: persistent, password-less SSH access to the developer\u2019s machine.<\/p>\n<p class=\"wp-block-paragraph\">What elevates GhostApproval beyond a straightforward symlink exploit is the UI misrepresentation layer (<a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/451.html\" target=\"_blank\" rel=\"noreferrer noopener\">CWE-451<\/a>). The most striking example was observed in Anthropic\u2019s Claude Code.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEijNE_8-vNK57stYrTgnxTckz3GsuJYg5a7xSx3ZMXBvAXk9ITHBbbr84oQU_hmrr4EMjMhg70dIYwc4ClWQwslLH0aFSf-6Rn-KPuS-Z1bAb38zgOuIJ_h0khiZM7ZOqZ4I_vz4IHsI-P-M6Xo2eHbanEqjBoI7B8kg48QnPCSphOXrauI6Jvj4cQJ44gZ\/w640-h592\/Anthropic%27s%2520Claude%2520Code.webp?ssl=1\" alt=\"\"><figcaption class=\"wp-element-caption\">GhostApproval Anthropic\u2019s Claude Code (Source: WIZ)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">During testing, the agent\u2019s internal reasoning explicitly stated: <em>\u201cI can see that project_settings.json is actually a zsh configuration file.\u201d<\/em> Yet the confirmation prompt displayed to the user simply asked: <em>\u201cMake this edit to project_settings.json?\u201d<\/em><\/p>\n<p class=\"wp-block-paragraph\">The agent knew the true target. The user did not. This transforms a sandbox bypass into an informed consent bypass; the Human-in-the-Loop safety net becomes a rubber stamp.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Vendor<\/th>\n<th>Severity<\/th>\n<th>CVE<\/th>\n<th>Fixed Version<\/th>\n<th>Status<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Amazon Web Services<\/td>\n<td>High<\/td>\n<td>CVE-2026-12958<\/td>\n<td>Language server v1.69.0<\/td>\n<td><strong>Fixed<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Google (Antigravity)<\/td>\n<td>Critical<\/td>\n<td>Pending<\/td>\n<td>v1.19.6<\/td>\n<td><strong>Fixed<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Cursor<\/td>\n<td>Critical<\/td>\n<td>CVE-2026-50549<\/td>\n<td>v3.0<\/td>\n<td><strong>Fixed<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Augment<\/td>\n<td>Critical<\/td>\n<td>\u2014<\/td>\n<td>v0.754.3<\/td>\n<td>In Progress<\/td>\n<\/tr>\n<tr>\n<td>Windsurf<\/td>\n<td>Critical<\/td>\n<td>\u2014<\/td>\n<td>v1.9566 (tested)<\/td>\n<td>In Progress<\/td>\n<\/tr>\n<tr>\n<td>Anthropic (Claude Code)<\/td>\n<td>Disputed<\/td>\n<td>\u2014<\/td>\n<td>v2.1.42<\/td>\n<td>Rejected \/ Patched<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\">Three vendors patched the vulnerability promptly: AWS, Cursor, and Google. AWS fixed the issue in language server version 1.69.0 (deployed May 27, 2026) and assigned CVE-2026-12958.<\/p>\n<p class=\"wp-block-paragraph\">The update ships automatically, and customers can trigger it by reloading their IDE. Cursor released its fix in v3.0 (June 5, 2026) under CVE-2026-50549. Google deployed its fix on May 22, 2026, and is assessing whether to issue a CVE.<\/p>\n<p class=\"wp-block-paragraph\">Augment and Windsurf acknowledged the reports but provided no further updates at the time of Wiz publication. Windsurf\u2019s pre-authorization variant was particularly dangerous: the agent writes to disk <em>before<\/em> the Accept\/Reject dialog appears, meaning the confirmation dialog functions as an undo button rather than an authorization gate.<\/p>\n<p class=\"wp-block-paragraph\">Anthropic initially rejected the report as \u201coutside our threat model,\u201d arguing that user-trusted directories and user-approved prompts place responsibility on the user. However, versions 2.1.173+ now resolve symlinks and warn users before writing to sensitive files.<\/p>\n<p class=\"wp-block-paragraph\">Anthropic later clarified with Wiz that this symlink warning shipped in v2.1.32 on February 5, 2026 \u2014 nine days before the report was submitted as part of proactive internal security hardening.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.wiz.io\/blog\/ghostapproval-a-trust-boundary-gap-in-ai-coding-assistants\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Wiz researchers outlined<\/a> three core mitigations for AI coding tool vendors:<\/p>\n<ul class=\"wp-block-list\">\n<li>Resolve symlinks before displaying prompts \u2014 always show the canonical target path, not the symlink name<\/li>\n<li>Warn explicitly when the resolved path exits the workspace \u2014 a write to <code>~\/.ssh\/authorized_keys<\/code> must look categorically different from a write to <code>.\/config.json<\/code>\n<\/li>\n<li>Never write to disk before explicit user authorization \u2014 confirmation dialogs must be gates, not undo mechanisms<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Initial discovery occurred on February 10, 2026, with vendor reports submitted between February 12 and March 5, 2026. Public disclosure was made on July 8, 2026, following the 90+ day coordinated disclosure window.<\/p>\n<p class=\"wp-block-paragraph\">GhostApproval is not a collection of individual bugs; it is a category-level design gap across AI coding tools. As agents gain greater autonomy over developer filesystems, the integrity of Human-in-the-Loop controls must be treated as a first-class security requirement, not an afterthought.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>Stop Accepting SLAs Written for 2019 SOCs \u2013 Here\u2019s the 2026 AI SLA <strong>Vendor<\/strong> Checklist<\/strong> \u2013 <strong><a href=\"https:\/\/underdefense.com\/ai-soc-sla-in-2026-mttr-benchmarks-clause-tables-negotiation-checklist\/?utm_source=cybersecuritynews.com&amp;utm_medium=online_media&amp;utm_campaign=csn_linkedin_newsletter_aisoc_sla_july_2026\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Download Free <strong>AI SOC SLA <\/strong>Guide<\/a><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/ghostapproval-vulnerability\/\">New GhostApproval Vulnerability Affects Amazon Q, Claude Code, Cursor, and Other AI Agents<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/ghostapproval-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New GhostApproval Vulnerability Affects Amazon Q, Claude Code, Cursor, and Other AI Agents A newly disclosed vulnerability pattern dubbed \u201cGhostApproval\u201d has exposed a critical security flaw in six of the most widely used AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf, allowing malicious repositories to bypass Human-in-the-Loop safety [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-14174","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14174"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14174"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14174\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}