# GhostApproval Flaw in AI Coding Assistants Poses Security Risks

*Published July 10, 2026*
*Source: [https://thehackernews.com/2026/07/ghostapproval-symlink-flaws-could-let.html](https://thehackernews.com/2026/07/ghostapproval-symlink-flaws-could-let.html)*

## Executive Summary

Wiz researchers have identified a vulnerability in six AI coding assistants that allows malicious code execution through symbolic link manipulation. This flaw, known as GhostApproval, exposes developers to unauthorized system access, emphasizing the need for improved security protocols.

## Article

Researchers at Wiz have uncovered a critical flaw in six widely used AI coding assistants that can allow malicious code to gain control over a developer's system. This vulnerability, termed GhostApproval, exploits a symbolic link feature found in Unix systems. By manipulating file approvals, the flaw permits an attacker to write to sensitive files under the guise of modifying harmless ones. The impacted AI tools include Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. On July 8, Wiz published their findings, prompting some vendors to issue patches while others have yet to respond effectively. Anthropic, notably, disagrees with the classification of the issue as a bug, arguing that the responsibility lies with the developer who trusts and approves the edits.

Central to the attack is the exploitation of symlinks, which redirect file writes to a different location on disk. For instance, with the GhostApproval flaw, a seemingly benign request to edit a file named project_settings.json can result in unauthorized changes to critical files like the SSH login file or shell startup scripts. This manipulation allows attackers to gain access to systems without detection. Although there are no indications of this vulnerability being used in real-world attacks, Wiz's research emphasizes the need for heightened awareness and security measures.

Wiz has urged tool developers to address this issue by improving the accuracy of approval dialogs and ensuring that any file write outside the designated project folder is flagged. The broader pattern has been confirmed by other researchers, such as Adversa AI, highlighting a systemic design flaw across multiple AI coding platforms. As AI tools evolve, maintaining robust security measures becomes increasingly important to prevent the misuse of these powerful technologies.
