"The consent is formally present but substantively empty," Wiz threat researcher Maor Dokhanian wrote, summarizing how a deceptively simple file trick can strip meaning from the human approvals that many AI coding assistants rely on.
GhostApproval and the symlink attack
Wiz, the Google-owned security business, named the flaw "GhostApproval." At its core the exploit reuses an old Unix-era mechanism — a symbolic link, or "symlink" — to point a seemingly harmless project file at a sensitive system path. In Wiz's proof-of-concept, an attacker creates a repository containing a symlink such as project_settings.json that actually points to ~/.ssh/authorized_keys, and a README instructing the coding agent to "update project_settings.json" with an SSH public key. An agent that follows the instruction and resolves the symlink will write the attacker's key into the victim's ~/.ssh/authorized_keys, granting long-term, password-less SSH access to the machine.
Wiz discovery, the proof-of-concept, and the affected agents
Wiz publicly disclosed the systematic vulnerability pattern after reporting it to six widely used AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Wiz included a proof-of-concept in its technical write-up showing the repository setup and the README instructions that prompt the agent to perform the write.
Wiz emphasized the broader design failing: many tools surface confirmation dialogs as a human-in-the-loop safety net, but the dialogs hid the true symlink target. "The failure is not just that the symlink is followed – it's that the UI doesn't reveal the true target," Dokhanian wrote, noting that trust-boundary gaps emerge "between users, AI agents, and local filesystems." Wiz also said there is no indication the vulnerability is being actively exploited in the wild, but warned it remains a serious enterprise threat when coding agents are granted deep access to codebases and cloud environments.
Amazon Q Developer, Cursor, and Google Antigravity — fixes and CVEs
Some vendors treated the issue as a reportable security vulnerability and issued fixes. Amazon classified the bug in Q Developer as a high-severity, pre-authorization write bug, issued CVE-2026-12958, and implemented a fix. Cursor issued CVE-2026-50549 and addressed the flaw in its v3.0 update. Google deemed the issue critical in Antigravity and, according to Dokhanian, "successfully deployed a fix for the flaw on May 22"; Google is "in the process of assessing CVE issuance," Wiz said.
Anthropic Claude Code, Augment, and Windsurf — divergent responses
Responses from other vendors were mixed. Anthropic's internal reasoning reportedly recognized that project_settings.json was actually a zsh configuration file, yet the prompt shown to users read: "Make this edit to project_settings.json?" According to Wiz, Anthropic told the company the scenario "falls outside our current threat model" because users must confirm they trust the directory before starting a Claude Code session; the company closed the ticket and labeled the report "informative." Wiz noted that current Claude versions (2.1.173+) do resolve symlinks and warn users before writing to sensitive files, but Anthropic did not say whether that change was related to Wiz's report. The Register did not receive a response from Anthropic.
Augment and Windsurf acknowledged Wiz's disclosure but had not issued patches at press time. An Augment spokesperson credited Wiz for disclosure and argued that "a coding agent needs to be able to edit and run code to be useful; and when it does that, it operates under your credentials," adding the company's view that this is a shared responsibility and an architectural constraint. Windsurf did not respond to The Register's inquiries.
What this means for technologists, enterprises, and end users
- Technologists and security teams: The incident underscores a specific, actionable gap — confirmation UIs must display the true filesystem target and tools should resolve or otherwise explicitly surface symlinks before performing file writes. Wiz singled out classic security principles like resolving symlinks as essential in new AI architectures.
- Enterprises and procurement leaders: The vulnerability illustrates operational risk when AI coding agents are granted deep access to codebases and cloud resources. Several vendors patched quickly and issued CVEs; others have not yet patched, leaving a mixed landscape to manage.
- End users and developers: Where a tool relies on a "trust-this-directory" model, that trust can be abused by a malicious repository. Users who ask agents to "set up the workspace" or "follow the README" may unknowingly approve sensitive edits unless the UI shows the real targets.
GhostApproval is a tidy example of how an old filesystem shortcut can become a modern supply-chain problem when autonomous agents are asked to act on developer instructions. Some vendors moved to fix the issue and document it with CVEs; others treated it as a user responsibility or left it unpatched. The remaining question, in Wiz's framing, is whether tools should be expected to protect users from deceptive workspaces — or whether recognition of a malicious workspace is the user's problem to solve.




