GhostApproval Technique Exploits AI Coding Tools to Bypass Sandbox Security
‘GhostApproval’ technique enables malicious code repositories to manipulate AI coding tools into modifying files beyond their designated workspaces, according to a report.
How the Attack Works
Exploiting Symbolic Links
Researchers at Wiz identified the method, which exploits symbolic links to deceive AI assistants into altering files outside their sandboxed environments. The attack leverages symlinks—files that reference other files via pathnames—to redirect modifications to critical system locations.
Demonstration of the Attack
A malicious repository containing a README file instructs the AI to edit a file within the workspace, which is actually a symlink pointing to a sensitive file on the user’s machine. Wiz demonstrated how this could be used to inject an attacker’s SSH public key into the victim’s “~/.ssh/authorized_keys” file, granting unauthorized access.
Affected Tools and Responses
AWS and Others
Testing across six AI coding tools revealed that all executed the file write without sufficient user warnings. The affected products included Amazon Q Developer, Anthropic Claude Code, Augment Code, Cursor, Google Antigravity, and Windsurf. As of the report, AWS, Anthropic, Cursor, and Google had released patches, while Windsurf’s response remained unresolved.
Anthropic and Augment Code
AWS addressed the flaw in Language Servers for AWS version 1.69.0, assigning it CVE-2026-12958 with a CVSS score of 7.8. The patch was included in an AWS security bulletin dated June 23, 2026. Wiz noted that Amazon Q Developer wrote the SSH key to the target filesystem before offering an “undo” option, while also flagging the decoy file (project_settings.json) as a symlink during workspace setup.
Cursor resolved the issue in version 3.0, tracking it as CVE-2026-50549 with a CVSS score of 9.8. The tool executed the file write outside its sandbox with user approval, but the UI displayed changes only to project_settings.json, obscuring the symlink path. Cursor’s advisory for CVE-2026-50549, issued June 5, 2026, urged users to update to version 3.0 and credited Wiz Threat Researcher Maor Dokhanian and Cato AI Labs.
Google fixed the vulnerability in Google Antigravity in May 2026 and is evaluating CVE designation. Like Cursor, Antigravity’s permission dialog displayed “project_settings.json” instead of the resolved symlink path, ultimately writing to ~/.ssh/authorized_keys.
Anthropic Claude Code initially identified the symlink during its internal processing but only prompted for changes to “project_settings.json” in the permission dialog. The company added a symlink warning to Claude Code v2.1.32 on February 5, 2026, as part of proactive security measures. Anthropic’s initial response stated the issue “fell outside the Claude Code threat model,” citing user responsibility for trusting directories before sessions. However, the company later clarified this was an automated response.
Windsurf’s Response
Augment Code and Windsurf have not addressed the flaw. Wiz demonstrated that Augment Code could write an SSH key to ~/.ssh/authorized_keys and create shell persistence via ~/.zhrc, acknowledging the symlink to the zsh configuration file in its output. Despite this, the assistant performed both actions without a permission prompt.
Wiz also showed Augment Code could access files outside its workspace by following a symlink to a file containing fake AWS credentials. An Augment spokesperson stated the behavior aligns with the product’s design, arguing that agents must operate under user credentials to function effectively. “The symlink technique is akin to lock-picking an already open gate,” the statement claimed, emphasizing shared responsibility for vetting third-party code.
Windsurf’s assistant wrote the SSH key outside the workspace before displaying a confirmation prompt, which Wiz researchers noted functioned as an undo mechanism rather than an authorization step. SC Media sought clarification from Windsurf but received no response.
Conclusion
The report underscores the risks of AI coding tools interacting with untrusted repositories, highlighting the need for robust safeguards against symlink-based attacks. Enterprises are advised to monitor updates from software vendors and implement strict access controls for AI-assisted workflows.
“The symlink technique is akin to lock-picking an already open gate,” the statement claimed, emphasizing shared responsibility for vetting third-party code.
