A ‘category-level’ security flaw in six leading AI coding assistants could give attackers remote control of a developer’s machine, according to researchers at Wiz.
Dubbed GhostApproval, the flaw affects some of the most popular coding tools on the market right now, including Amazon Q Developer, Claude Code, Cursor, Windsurf, and Google Antigravity.
The flaw has been reported to all six providers, with Amazon, Cursor, and Google having rated it critical or high-severity and fixed it, and there’s no evidence that it’s been exploited in the wild.
According to Wiz, the vulnerability is caused by a decades-old Unix primitive – symbolic links, or symlinks – which allows malicious repositories to trick AI agents into silently breaking out of their workspace sandboxes, leading to RCE and persistent access to a developer’s machine.
In the case of Amazon Q Developer, the agent wrote to the filesystem before presenting the user with an Undo option. Testing by Wiz found the agent correctly identified the symlink in its internal reasoning, but proceeded with the write anyway.
Amazon has fixed the problem, which has been recorded as CVE-2026-12958.
“We have remediated this issue in language server version 1.69.0. The AWS Language Server updates automatically unless the customer’s network configuration prevents it, so no action is required in most cases,” the firm said in a statement.
“For existing customers, reloading the IDE will trigger an update to the latest language server version, which includes this fix. If auto-update is blocked, we recommend upgrading to the latest version of the Amazon Q Developer plugin for your IDE.”
Wiz noted that new customers don’t need to take any action, as the latest patched version will be downloaded automatically.
Anthropic issues customer warning
Claude Code, meanwhile, provides the clearest example of user interface misrepresentation of critical information, Wiz said.
“The agent explicitly recognized the dangerous target in its thinking – stating “this is a symbolic link to the Claude settings file” – then presented a prompt asking simply: “Make this edit to project settings.json?” the researchers said.
Anthropic, however, has rejected the threat on the basis that the user explicitly trusted the directory when starting the session and explicitly approved the file operation in the confirmation prompt.
Around the time Wiz revealed its findings, the company added a warning to users, and current versions (2.1.173+) now resolve symlinks.
Cursor’s diff UI showed the symlink path; when the user clicked Accept, the backend followed the symlink and wrote to the resolved target. It’s been fixed in version 3.0, and Cursor has issued CVE-2026-50549.
Google’s Antigravity, meanwhile, displayed the symlink path in its permission dialog rather than the resolved canonical path. Wiz researchers were able to successfully write an attacker’s SSH key via a symlink disguised as project_settings.json. Google’s fixed the problem.
Windsurf flaw raises serious concerns
Notably, Wiz said Windsurf presented a particularly dangerous variant during testing of the vulnerability.
“The agent writes file modifications directly to disk before the Accept/Reject buttons appear in the UI. The confirmation dialog isn’t an authorization gate – it’s an undo mechanism,” the researchers warned.
Wiz added that the system is compromised “the moment the agent processes the malicious instructions”. Indeed, by the time users even see the prompt asking to accept changes, an attacker’s SSH was already placed in the authorizedkeys file.
Researchers warned that the findings show that “trust boundary questions” will become critical for organizations rolling out AI agents en-masse.
“GhostApproval is a symptom of a broader challenge: building AI systems that are both powerful and trustworthy. Getting the human-in-the-loop right – truly right, not just formally present – is essential to that goal.”
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Click Here For The Original Source.
