News
GhostApproval: Flaw in Six AI Coding Assistants Opens SSH Access

Wiz researchers detailed a technique called GhostApproval that tricked Cursor, Claude Code, Amazon Q Developer, and three other tools into overwriting SSH keys, even as developers appeared to approve what looked like a harmless operation.
Six popular AI-based coding assistants could be fooled by a trick that's been around since the early days of Unix: the symbolic link. Security researchers at Wiz have described a technique called GhostApproval, in which a malicious repository disguises itself as an innocuous configuration file while actually pointing to a developer's SSH keys. Even though the AI agent displayed an approval prompt before making the change, it showed the user a fake file name.
The attack exploits a flaw tracked as CWE-61, covering symbolic links that point outside the working directory. An attacker places a file in the repository with an innocuous-sounding name, such as project_settings.json, which is actually a link to the authorized_keys file in the user's .ssh directory. When the developer asks the AI agent to set up a working environment or to follow instructions in a README file, the tool follows the link and writes the attacker-supplied key there. The result is persistent, password-free remote access to the victim's machine.
An Illusion of Consent
The most unsettling part of Wiz's write-up concerns what the researchers called a bypass of informed consent. The human formally approves the operation, but the dialog box shows a false picture of what's actually happening. In tests with Claude Code, researchers observed that the model's own internal reasoning correctly identified that the file project_settings.json was actually a zsh shell configuration file. Even so, the approval prompt shown to the user listed only the harmless, apparent file name. That pattern matches CWE-451, a user interface misrepresentation flaw.
Wiz's advice to tool makers is to resolve the symlink and show the real destination before asking, flag any write that lands outside the project folder, and never touch the disk until the user has actually approved - Wiz Research
Uneven Vendor Response
Vendor responses varied widely. AWS confirmed and fixed the issue in an update to the Amazon Q language server, version 1.69.0, rolling the patch out automatically to all users. Cursor rated the bug critical and patched it in version 3.0, assigning it the official identifier CVE-2026-50549. Google eliminated the problem in Antigravity by May 22, 2026, also classifying it as critical.
Anthropic took a stance apart from the rest of the field. The company argued that once a user trusts a directory and approves an edit, the decision and its consequences are theirs to own, which places this scenario outside the company's accepted threat model. At the same time, researchers found that Claude Code version 2.1.32, released February 5, 2026, before the flaw was formally reported, had already begun warning about operations on symbolic links, and that releases from version 2.1.173 onward resolve the link and display the actual write destination before requesting approval. Augment and Windsurf confirmed the vulnerability but had not yet released a patch at the time of publication.
Why This Matters for Developers
The scale of the problem stems from how deeply agentic coding tools have become woven into developer teams' daily work, often with broad file system write permissions and without full human oversight of every step. GhostApproval shows that the approval mechanisms meant to give developers a sense of control can be effectively defeated without breaking any cryptographic safeguard, an old Unix file system trick is enough. For companies using these tools, that means treating the cloning of unfamiliar repositories as a risky operation, regardless of how trustworthy the AI assistant seems.
The researchers' recommendation to tool makers is simple: agents should resolve symbolic links and show the real write destination before asking for approval, flag any write that lands outside the project folder, and never touch the disk until the user has actually approved the operation based on accurate information. Until every vendor implements these safeguards, developers using Augment or Windsurf should be especially cautious when working with repositories from untrusted sources.
Sources: The Hacker News (thehackernews.com), Wiz Research Blog (wiz.io)

