A symlink trick fooled Claude Code, Cursor and four other AI coding agents into approving edits they didn't disclose
Security researchers at Wiz found that Claude Code, Cursor, Windsurf, Google Antigravity, Amazon Q and Augment can all be tricked into writing to sensitive files like SSH keys while showing the user an approval prompt that names a harmless-looking symlink instead of the real target — and patch response has varied sharply by vendor.
12 July 2026
Cloud security firm Wiz published research on 8 July into a flaw it calls GhostApproval: a trust-boundary gap affecting at least six mainstream AI coding agents, including Claude Code, Cursor, Windsurf, Google Antigravity, Amazon Q, and Augment. The mechanism is old — a classic symlink-based attack (CWE-61) — but the target is new. A malicious repository can plant a symlink that looks innocent, get an agent to write through it, and the file that actually changes can be something like ~/.ssh/authorized_keys. The human-in-the-loop safeguard that’s supposed to catch this — the “approve this edit?” prompt — shows the symlink’s name, not what it actually points to. In Wiz’s proof of concept, the agent’s own internal reasoning correctly identified the real target file; the interface just didn’t surface it.
What makes this worth tracking isn’t the exploit mechanics, which are a known category. It’s the patch response, because it varies by vendor in a way that’s directly useful due diligence for anyone choosing a tool. AWS shipped a fix for Amazon Q (CVE-2026-12958). Cursor patched too (CVE-2026-50549). Google’s Antigravity fixed the issue without yet assigning a CVE. Augment and Windsurf had acknowledged the report but not shipped a fix at the time of publication. Anthropic’s initial position was that the behaviour sat “outside our current threat model” — treating the existing directory-trust prompt as sufficient — though Wiz notes Anthropic has since added symlink warnings in a later release.
So what
This is the same pattern as the Alibaba/Claude Code episode two days earlier: AI coding agents now run with enough filesystem and shell access that a single overlooked edge case in the approval UI becomes a real credential-exposure risk, not a theoretical one. The practical takeaway for anyone running these tools against real client codebases isn’t “stop using AI coding agents” — it’s “know which one you’re using, whether the vendor has actually closed this class of gap, and whether your own repo hygiene (no untrusted symlinks, sandboxed execution, least-privilege file access) covers you regardless of vendor patch status.” That’s a governance and process question as much as a tooling one, and it’s exactly what we build into engagements where AI-assisted delivery touches production or client data. See our AI-assisted development page for how we handle it, or get in touch if you want a second opinion on your current stack.