The rubber stamp nobody asked for
Six of the most popular AI coding assistants share a dangerous design flaw. Researchers at Wiz have shown that a malicious repository can trick these tools into approving edits that overwrite sensitive files on a developer’s machine. In the worst case, that opens the door to remote code execution.
Wiz calls the vulnerability GhostApproval. It affects Amazon Q Developer, Anthropic’s Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. The common thread? Symbolic links — symlinks — that make one file path secretly resolve to another.
The attack is elegantly simple. A repository contains a symlink disguised as an innocent file — say, project_settings.json. That symlink actually points at the developer’s SSH keys. When the developer asks the assistant to “set up the workspace” or follow the README, the agent follows the link and writes attacker-supplied content into the real target. The developer sees a harmless filename in the approval dialog and clicks “Yes.” They just handed over passwordless remote access.
Wiz published a proof of concept on July 7. The research team argues that the design effectively bypasses informed consent: the approval prompt shows only the harmless filename, not the real destination. So a developer approves an edit they cannot actually see.
For more on how rogue prompts can hijack coding agents, read our earlier piece on Agentjacking attacks against AI coding agents.
Who fixed it, who didn’t, and who argued
Wiz reported GhostApproval to all six vendors in early 2026. The responses were anything but uniform.
Amazon, Google, and Cursor treated it as a vulnerability and shipped fixes. Cursor even issued CVE-2026-50549 for the flaw.
Augment and Windsurf acknowledged the reports but, as of publication, have gone silent. No patches. Their users remain potentially exposed.
Anthropic took a different stance. The company disputed that Claude Code’s behavior is a vulnerability at all. Its argument: a user who trusts a directory and approves an edit owns that decision. Anthropic considers the scenario “outside our threat model.”
That disagreement gets at the heart of the issue. Wiz frames GhostApproval less as a collection of isolated bugs and more as a design question the industry has yet to settle: should an AI coding tool shield users from a deceptive workspace, or leave that judgment to the developer?
What developers should do now
The practical advice from Wiz is clear. Vendors should resolve symlinks before asking for approval and flag any write that lands outside the project directory.
Until then, developers using Augment or Windsurf should watch for updates — and think twice before approving edits from untrusted repositories. Even the most polished approval dialog is useless if it shows you a lie.
If you’re curious about related risks, check our guide on WhatsApp HD photo sending for a completely different kind of file-handling gotcha.