GhostApproval Exposes Critical Security Flaw in AI Coding Assistants, Enabling Hidden File Access and Remote Code Execution
Researchers have uncovered GhostApproval, a widespread vulnerability affecting major AI coding assistants. The flaw allows malicious repositories to manipulate file operations outside project boundaries, potentially leading to credential theft and remote code execution.
Xcademia Team
Xcademia Research Team

GhostApproval Reveals a Dangerous Trust Boundary Gap in AI Coding Assistants
Artificial intelligence coding assistants have rapidly become essential tools for developers. From generating code to automating project setup tasks, these systems promise increased productivity through intelligent automation. However, new research from Wiz has uncovered a critical security weakness that challenges one of the industry's most important safety assumptions.
The vulnerability, dubbed GhostApproval, affects multiple leading AI coding assistants and demonstrates how attackers can exploit classic filesystem tricks to bypass user safeguards and gain unauthorized access to sensitive files.
The findings raise broader concerns about whether current Human-in-the-Loop security models are sufficient for increasingly autonomous AI agents.
What Is GhostApproval?
GhostApproval is a vulnerability pattern that exploits how AI coding assistants handle symbolic links (symlinks).
A symbolic link acts as a shortcut that points one file path to another. While symlinks are a standard feature in Unix-like operating systems, they have historically been abused in numerous security vulnerabilities.
In the GhostApproval scenario:
An attacker creates a repository containing a seemingly harmless file.
That file is actually a symlink pointing to a sensitive system file.
The AI assistant is instructed to modify the file.
Instead of editing a local project file, the assistant follows the symlink and writes data to the sensitive target.
The result can be unauthorized modification of critical files such as SSH authentication keys, shell configuration files, or cloud credentials.

Why This Vulnerability Is Different
Symlink vulnerabilities are not new. Security teams have dealt with them for decades.
What makes GhostApproval unique is the interaction between AI agents and user approval workflows.
Many coding assistants rely on a simple trust model:
AI proposes an action
User reviews it
User approves or rejects it
Researchers found that several assistants displayed only the apparent file name in approval dialogs while hiding the actual destination file.
For example, a prompt might display:
Edit project_settings.json?
Meanwhile, the real target could be:
~/.ssh/authorized_keys
This creates a situation where users approve an action without understanding what will actually be modified.
Researchers classify this behavior as CWE-451: User Interface Misrepresentation of Critical Information.
In other words, the security control exists, but the information necessary for informed consent is missing.
Remote Code Execution Through AI Assistants
The most serious impact demonstrated by researchers involved SSH key injection.
An attacker could create a repository containing a symlink named:
project_settings.jsonThe symlink actually points to:
~/.ssh/authorized_keys
When the victim asks the AI assistant to follow setup instructions, the agent may insert the attacker's public SSH key into the target file.
Once successful, the attacker gains persistent remote access to the developer's machine without needing a password.
This turns a simple project setup request into a potential remote code execution pathway.
Six Major AI Coding Assistants Were Affected
Researchers tested six widely used AI coding assistants and discovered variants of the same core issue.
Amazon Q Developer
Amazon Q displayed a particularly concerning behavior where file modifications occurred before authorization was fully completed.
Researchers observed the assistant recognizing the symlink but still performing the write operation before offering an Undo option.
Status: Fixed
CVE: CVE-2026-12958
Anthropic Claude Code
Claude Code became the centerpiece of the Human-in-the-Loop debate.
Researchers observed the assistant correctly identifying that a file pointed to a sensitive location. However, the user-facing prompt displayed only the original filename.
Anthropic initially classified the issue as outside its threat model, arguing that users had already trusted the repository and approved the action.
Later versions introduced stronger symlink warnings and safer handling mechanisms.
Status: Security hardening implemented
Augment
Augment exhibited some of the most severe behavior.
Researchers found that the assistant could:
Read files outside the workspace
Expose sensitive credentials in chat
Write to external files
Perform operations without user confirmation
Examples included exposing AWS credentials and modifying shell startup files.
Status: Acknowledged and under remediation
Cursor
Cursor's interface displayed only the visible project file while backend operations followed the symlink to its actual destination.
Status: Fixed in Version 3.0
CVE: CVE-2026-50549
Google Antigravity
Google's AI coding platform displayed symlink paths instead of resolved filesystem paths in permission dialogs.
Researchers successfully demonstrated SSH key injection attacks.
Status: Fixed
Windsurf
Windsurf presented perhaps the most dangerous variation.
The assistant wrote changes directly to disk before displaying Accept or Reject options.
This effectively transformed the approval process into an Undo mechanism rather than a security gate.
Status: Acknowledged; remediation ongoing

The Human-in-the-Loop Problem
The research highlights a fundamental challenge for AI-powered development tools.
Many vendors assume that user approval equals security.
However, meaningful approval depends on accurate information.
If users believe they are approving changes to a local configuration file while the AI modifies an SSH authentication file, the approval process loses its security value.
The issue is less about malicious AI behavior and more about how trust boundaries are communicated between:
User
AI agent
Filesystem
Operating system
As AI agents gain greater autonomy, these boundaries become increasingly important.
How Vendors Can Prevent Similar Attacks
Researchers recommend several security measures:
Resolve Symlinks Before Displaying Prompts
Approval dialogs should always show the real destination path, not the apparent filename.
Flag External File Access
Any operation targeting files outside the project workspace should trigger enhanced warnings.
Block Pre-Authorization Writes
No file modifications should occur before explicit user approval.
Strengthen Filesystem Validation
AI assistants should validate canonical paths and enforce workspace boundaries before performing read or write operations.
Increase Context Visibility
Users should clearly understand:
What file is being modified
Where it resides
Why the change is being made

Detection and Monitoring Strategies
Wiz also outlined several ways organizations can detect GhostApproval-style attacks.
Repository Clone Monitoring
Security tools can detect suspicious symlinks when repositories are cloned.
Sensitive File Monitoring
Monitoring solutions can alert when files such as:
authorized_keys
shell startup files
cloud credential files
are modified unexpectedly.
AI-Aware Threat Detection
Security platforms can assign higher severity scores when suspicious activity originates from AI coding assistant processes.
This context-aware approach helps organizations identify attacks that exploit AI-assisted workflows.
Why GhostApproval Matters for the Future of AI Development
GhostApproval is more than a collection of isolated vulnerabilities.
It exposes a broader design challenge facing the AI development ecosystem.
AI coding assistants are becoming increasingly autonomous, handling tasks that once required direct developer interaction. As that autonomy grows, security controls must evolve beyond simple approval prompts.
The core lesson from this research is clear:
User approval only provides security when users understand exactly what they are approving.
Without transparent trust boundaries, Human-in-the-Loop protections risk becoming little more than a checkbox.
As AI agents continue gaining access to development environments, cloud resources, and production systems, ensuring accurate visibility into their actions will be critical for maintaining trust and security.
Source: Wiz Research Blog
About the Author