GhostApproval: Symlink Vulnerability in 6 AI Coding Assistants Allows Malicious Repos to Write to Arbitrary Files

GhostApproval: Symlink Vulnerability in 6 AI Coding Assistants Allows Malicious Repos to Write to Arbitrary Files

TTP Advisory: GhostApproval | No CVE | Severity: High | Affected Tools: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, Windsurf | Discovered by: Wiz Research


What Is the Vulnerability

Wiz Research discovered that six popular AI coding assistants fail to properly check symbolic links (symlinks) before writing to files. A malicious repository can contain a symlink named project_settings.json that actually points to ~/.ssh/authorized_keys or another sensitive system file. When the AI assistant is asked to modify the repository, it follows the symlink and writes to the unintended target. The assistant asks permission to edit what looks like a harmless file, but the write lands on a sensitive one instead. Three of the six tools have shipped fixes (Amazon Q Developer and Cursor); two have not; Anthropic disputes that it is a bug in Claude Code.


Affected Tools

  • Amazon Q Developer — fix shipped
  • Anthropic Claude Code — Anthropic disputes the finding
  • Augment — status pending
  • Cursor — fix shipped
  • Google Antigravity — status pending
  • Windsurf — status pending

Exploited?

No confirmed exploitation in the wild. Wiz disclosed the vulnerability responsibly on July 8. However, the attack is trivially exploitable by anyone who can create a repository with a symlink — including open-source contributors, pull requests from unknown users, or package dependencies.


Fix

Vendor-specific fixes vary. Amazon Q Developer and Cursor have shipped fixes. Users of other tools should check vendor advisories.

  • General recommendation: Do not use AI coding assistants in auto-approve mode when working with untrusted repositories.

Recommendations

  • Update patched tools: Apply updates for Amazon Q Developer and Cursor.
  • Disable auto-approve: Do not allow AI coding assistants to automatically approve file writes in untrusted projects.
  • Review symlink handling: Be aware that AI assistants may not check symlink targets before writing.
  • Sandbox untrusted repos: Consider reviewing AI assistant operations on third-party code in a sandboxed environment.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 9, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!