In brief: Six AI code assistants fail to validate symlinks before write operations, allowing attackers to manipulate system configurations through fraudulent project files — some vendors have already patched, others are still working on fixes.
Security researchers from Wiz have uncovered a design flaw in six widely-used AI programming assistants that allows attackers to access sensitive system configurations through manipulated repository files. The vulnerability exploits symlinks that are not validated by the tools before write operations.
The vulnerability GhostApproval, published on 8 July 2026, affects Amazon Q Developer, Claude Code (Anthropic), Augment, Cursor, Google Antigravity, and Windsurf. The attack exploits a characteristic of Unix file systems: symlinks are not checked by the assistants before they write to files. A malicious project disguises itself as a harmless configuration file such as project_settings.json, but points via symlink to sensitive system files outside the project folder — for example ~/.ssh/authorized_keys or ~/.zshrc. Once the developer asks the assistant to set up the project, the system writes malicious code or SSH keys directly into these system files.
The core problem lies in the approval dialog windows: they display only the harmless local path to the user, while the system accesses the actual system folder in the background. With Claude Code, researchers found that the internal logic correctly identified the actual destination, but presented only the filename to the user in the dialog — a deception through incomplete information. With Windsurf, data is written before the confirmation message, so the prompt merely functions as an undo feature. Augment showed no dialog at all and silently enabled read access to AWS credentials outside the project directory.
The vendors are responding differently. Amazon Q Developer fixed the error in Language Server 1.69.0 under CVE-2026-12958, Cursor in version 3.0 under CVE-2026-50549, and Google updated Antigravity. Augment and Windsurf confirmed the issue and are working on fixes. Anthropic rejects the classification as a security vulnerability, arguing that the scenario lies “outside our threat model” because the developer already trusts the folder.
The risk is not theoretical. In June 2026, the Miasma worm exploited manipulated configuration files in Microsoft Azure to execute malicious code as soon as developers opened the infected project in Claude Code, Cursor, or Gemini. For mitigation, it is recommended to run AI agents only with restricted file access permissions or in isolated containers.
Source: www.it-daily.net · Published 9 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.