TTP Advisory: GhostApproval | No CVE | Severity: High | Affected Tools: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, Windsurf | Discovered by: Wiz Research
What Is the Vulnerability
Wiz Research discovered that six popular AI coding assistants fail to properly check symbolic links (symlinks) before writing to files. A malicious repository can contain a symlink named project_settings.json that actually points to ~/.ssh/authorized_keys or another sensitive system file. When the AI assistant is asked to modify the repository, it follows the symlink and writes to the unintended target. The assistant asks permission to edit what looks like a harmless file, but the write lands on a sensitive one instead. Three of the six tools have shipped fixes (Amazon Q Developer and Cursor); two have not; Anthropic disputes that it is a bug in Claude Code.
Affected Tools
- Amazon Q Developer — fix shipped
- Anthropic Claude Code — Anthropic disputes the finding
- Augment — status pending
- Cursor — fix shipped
- Google Antigravity — status pending
- Windsurf — status pending
Exploited?
No confirmed exploitation in the wild. Wiz disclosed the vulnerability responsibly on July 8. However, the attack is trivially exploitable by anyone who can create a repository with a symlink — including open-source contributors, pull requests from unknown users, or package dependencies.
Fix
Vendor-specific fixes vary. Amazon Q Developer and Cursor have shipped fixes. Users of other tools should check vendor advisories.
- General recommendation: Do not use AI coding assistants in auto-approve mode when working with untrusted repositories.
Recommendations
- Update patched tools: Apply updates for Amazon Q Developer and Cursor.
- Disable auto-approve: Do not allow AI coding assistants to automatically approve file writes in untrusted projects.
- Review symlink handling: Be aware that AI assistants may not check symlink targets before writing.
- Sandbox untrusted repos: Consider reviewing AI assistant operations on third-party code in a sandboxed environment.
References
- The Hacker News: GhostApproval
- Wiz Research Report
Part of the Vulnerability Intelligence series on threat-modeling.com. July 9, 2026 Report.
