
Security researchers at Wiz have discovered a systematic vulnerability affecting six of the most widely used AI coding assistants, revealing that a classic Unix-era attack vector, the symbolic link, can trick autonomous agents into writing to sensitive files outside their designated workspace.
Dubbed GhostApproval, the vulnerability exploits the trust gap between what an AI coding agent sees and what the underlying filesystem actually contains. An attacker creates a malicious repository with a symlink disguised as a harmless configuration file, pointing it at a sensitive target such as `~/.ssh/authorized_keys`. When the developer asks the agent to set up the workspace or follow the project’s README, the agent follows the symlink and writes attacker-controlled content to the real target.
How the attack works
In a proof of concept described by Wiz researcher Maor Dokhanian, the attacker creates a directory with a symlink called `project_settings.json` that points to `.ssh/authorized_keys`. The README instructs the developer to add an SSH public key to the settings file. The victim clones the repo and asks the AI assistant to set it up. The agent reads the instructions, follows the symlink, and writes the attacker’s key to the authorized SSH list — granting passwordless remote access.
The attack succeeds because the coding assistants’ confirmation dialogs hide the true destination of the write operation. A user sees a prompt such as “Make this edit to project_settings.json?” when the agent is actually writing to `.ssh/authorized_keys`. Dokhanian described the consent as “formally present but substantively empty.”
Affected tools and vendor responses
| Tool | Severity | Status |
|——|———-|——–|
| Amazon Q Developer | High, CVE-2026-12958 | Patched |
| Cursor | Critical, CVE-2026-50549 | Patched v3.0 |
| Google Antigravity | Critical | Patched May 22 |
| Anthropic Claude Code | Informative | Symlink warning in v2.1.32 (Feb 5) |
| Augment | Critical | Unpatched |
| Windsurf | Critical | Unpatched |
Anthropic marked the issue as “informative” and argued that a user who explicitly confirms trust in a directory containing a malicious symlink falls outside the tool’s threat model. Augment stated that “no patch can separate an agent’s ability to edit and run code from its ability to access the filesystem.”
Wiz said it has seen no evidence of active exploitation, but the vulnerability represents a serious enterprise risk given the rapid adoption of AI coding agents in production environments.

