Full Report
'GhostApproval' problem highlights human-in-the-loop fails
Analysis Summary
# Vulnerability: GhostApproval (AI Agent Symlink Arbitrary File Write)
## CVE Details
- **CVE ID:** CVE-2026-12958 (Amazon Q Developer), CVE-2026-50549 (Cursor), Pending (Google Antigravity)
- **CVSS Score:** High/Critical (Specific numerical scores vary by vendor)
- **CWE:** CWE-61: UNIX Symbolic Link (Symlink) Following
## Affected Systems
- **Products:** AI-powered coding assistants and agents.
- **Versions:**
- **Amazon Q Developer:** Versions prior to patch (CVE-2026-12958)
- **Cursor:** Versions prior to v3.0
- **Google Antigravity:** Versions prior to May 22, 2026
- **Claude Code:** Versions prior to 2.1.173 (Note: Anthropic disputes the threat model but updated behavior)
- **Augment & Windsurf:** All versions prior to July 8, 2026 (No patches confirmed at time of report)
- **Configurations:** Systems where the AI agent has permissions to write to the local filesystem and the user clones/opens untrusted repositories.
## Vulnerability Description
GhostApproval is a systematic vulnerability pattern where AI coding agents fail to resolve symbolic links (symlinks) before performing file write operations. An attacker can place a malicious symlink in a repository (e.g., `project_settings.json` pointing to `~/.ssh/authorized_keys`).
When the agent is asked to modify the settings file, it follows the symlink and writes to the sensitive system file instead. Crucially, the **UI fail** occurs because the confirmation prompt shown to the user identifies the local file name (`project_settings.json`) rather than the actual destination path, leading the user to "blindly" approve a high-risk system change.
## Exploitation
- **Status:** PoC available; not currently observed in the wild.
- **Complexity:** Low
- **Attack Vector:** Local/Network (via malicious repository download)
## Impact
- **Confidentiality:** High (Access to sensitive configuration and system files)
- **Integrity:** High (Ability to overwrite system files or authorized keys)
- **Availability:** High (Potential for system instability or lockout)
- **RCE:** Remote Code Execution is achievable by injecting SSH keys or modifying startup scripts.
## Remediation
### Patches
- **Amazon:** CVE-2026-12958 has been patched in Q Developer.
- **Cursor:** Fix included in version **v3.0** (CVE-2026-50549).
- **Google:** Patch deployed for Antigravity as of **May 22, 2026**.
- **Anthropic:** Claude Code **v2.1.173+** includes improved symlink resolution.
### Workarounds
- **Strict Repository Scanning:** Manually audit repositories for symlinks (`ls -laR | grep "->"`).
- **Least Privilege:** Run AI coding agents within highly restricted containers or VMs that do not have access to the host's `~/.ssh` or sensitive system directories.
- **Avoid "Blind" Approvals:** Exercise extreme caution when prompts ask to update configuration files in newly cloned repositories.
## Detection
- **Indicators of Compromise:** Unexpected entries in `~/.ssh/authorized_keys`, `.zshrc`, `.bashrc`, or other shell configuration files.
- **Detection Methods:**
- Audit logs of AI agent activity for writes occurring outside the project workspace.
- Security tools (EDR) flagging unexpected modifications to sensitive hidden directories after AI agent interaction.
## References
- **Wiz Research:** hxxps[://]www[.]wiz[.]io/blog/ghostapproval-vulnerability-ai-coding-assistants
- **Mitre CWE-61:** hxxps[://]cwe[.]mitre[.]org/data/definitions/61[.]html
- **Amazon Security Advisory:** [Link provided via CVE-2026-12958]
- **Cursor Security:** [Link provided via CVE-2026-50549]