Flaws in some of the most popular AI coding tools left developers wide open to attack
Malicious repositories can trick advanced AI agents into silently breaking out of their workspace sandboxes
A 'category-level' security flaw in six leading AI coding assistants could give attackers remote control of a developer’s machine, according to researchers at Wiz.
Dubbed GhostApproval, the flaw affects some of the most popular coding tools on the market right now, including Amazon Q Developer, Claude Code, Cursor, Windsurf, and Google Antigravity.
The flaw has been reported to all six providers, with Amazon, Cursor, and Google having rated it critical or high-severity and fixed it, and there's no evidence that it's been exploited in the wild.
According to Wiz, the vulnerability is caused by a decades-old Unix primitive – symbolic links, or symlinks – which allows malicious repositories to trick AI agents into silently breaking out of their workspace sandboxes, leading to RCE and persistent access to a developer's machine.
In the case of Amazon Q Developer, the agent wrote to the filesystem before presenting the user with an Undo option. Testing by Wiz found the agent correctly identified the symlink in its internal reasoning, but proceeded with the write anyway.
Amazon has fixed the problem, which has been recorded as CVE-2026-12958.
"We have remediated this issue in language server version 1.69.0. The AWS Language Server updates automatically unless the customer's network configuration prevents it, so no action is required in most cases," the firm said in a statement.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
"For existing customers, reloading the IDE will trigger an update to the latest language server version, which includes this fix. If auto-update is blocked, we recommend upgrading to the latest version of the Amazon Q Developer plugin for your IDE."
Wiz noted that new customers don't need to take any action, as the latest patched version will be downloaded automatically.
Anthropic issues customer warning
Claude Code, meanwhile, provides the clearest example of user interface misrepresentation of critical information, Wiz said.
"The agent explicitly recognized the dangerous target in its thinking - stating "this is a symbolic link to the Claude settings file" - then presented a prompt asking simply: "Make this edit to project settings.json?" the researchers said.
Anthropic, however, has rejected the threat on the basis that the user explicitly trusted the directory when starting the session and explicitly approved the file operation in the confirmation prompt.
Around the time Wiz revealed its findings, the company added a warning to users, and current versions (2.1.173+) now resolve symlinks.
Cursor's diff UI showed the symlink path; when the user clicked Accept, the backend followed the symlink and wrote to the resolved target. It's been fixed in version 3.0, and Cursor has issued CVE-2026-50549.
Google's Antigravity, meanwhile, displayed the symlink path in its permission dialog rather than the resolved canonical path. Wiz researchers were able to successfully write an attacker's SSH key via a symlink disguised as project_settings.json. Google's fixed the problem.
Windsurf flaw raises serious concerns
Notably, Wiz said Windsurf presented a particularly dangerous variant during testing of the vulnerability.
"The agent writes file modifications directly to disk before the Accept/Reject buttons appear in the UI. The confirmation dialog isn't an authorization gate - it's an undo mechanism," the researchers warned.
Wiz added that the system is compromised “the moment the agent processes the malicious instructions”. Indeed, by the time users even see the prompt asking to accept changes, an attacker’s SSH was already placed in the authorizedkeys file.
Researchers warned that the findings show that “trust boundary questions” will become critical for organizations rolling out AI agents en-masse.
"GhostApproval is a symptom of a broader challenge: building AI systems that are both powerful and trustworthy. Getting the human-in-the-loop right – truly right, not just formally present – is essential to that goal."
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
The memory shortage is hitting PC sales hard, but vendor revenues are still growingNews AI-driven component shortages are hurting PC sales, but device vendors are recording solid revenue growth
-
Rubrik selects London as EMEA hub as part of £375m investment pledgeNews The move reflects the UK’s “growing strategic importance” to Rubrik’s global expansion
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
‘These sorts of post-compromise techniques used to be restricted to actors with the technical knowledge to carry them out’: Anthropic warns AI is helping lower the bar for up-and-coming hackersNews AI is making it harder to differentiate between high and low-skilled actors
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
AI agents using Anthropic MCP could be a vector for supply chain attacks, claim researchersNews The flaw in Anthropic’s Model Context Protocol agent communication standard could put millions of agents and 200,000 servers at risk, report says
-
AI is raising the stakes for cyber professionals – Claude Mythos just took things to another levelNews AI efficiency gains work both ways, and threat actors are already capitalizing on powerful new tools
-
‘There was a manual deploy step that should have been better automated’: Claude Code creator confirms cause of massive source code leakNews Over half a million lines of Claude Code source code was leaked, with the company attributing the blunder to human error
-
Anthropic admits hackers have 'weaponized' its tools – and cyber experts warn it's a terrifying glimpse into 'how quickly AI is changing the threat landscape'News Security experts say Anthropic's recent admission that hackers have "weaponized" its AI tools gives us a terrifying glimpse into the future of cyber crime.
-
Hackers are duping developers with malware-laden coding challengesNews A North Korean state-sponsored group has been targeting crypto developers through fake coding challenges given as part of the recruitment process.