Full Report
Uncovering a category-level blind spot in modern AI coding assistants, and why the Human-in-the-Loop safety model fails against this classic threat
Analysis Summary
# Vulnerability: GhostApproval (Informed Consent Bypass in AI Coding Assistants)
## CVE Details
- **CVE ID:** CVE-2026-12958 (Specific to Amazon Q Developer)
- **CVSS Score:** 8.8 (High) - *Calculated base score based on vendor severity rating*
- **CWE:** [CWE-451](https://cwe.mitre.org/data/definitions/451.html): User Interface (UI) Misrepresentation of Critical Information; [CWE-59](https://cwe.mitre.org/data/definitions/59.html): Improper Link Resolution Before File Access (Symlink Follow).
## Affected Systems
- **Products:**
- Amazon Q Developer (formerly AWS Chatbot/CodeWhisperer tools)
- Anthropic Claude Code
- Various other AI coding assistant CLI tools and IDE extensions
- **Versions:**
- Amazon Q: Language server versions prior to 1.69.0
- Claude Code: Versions prior to 2.1.173
- **Configurations:** Systems where an AI assistant is granted permission to "manage the workspace" or edit files within a repository containing malicious symbolic links (symlinks).
## Vulnerability Description
GhostApproval is a category-level vulnerability where AI agents fail to correctly handle "Trust Boundaries" when interacting with symbolic links.
An attacker places a malicious symlink in a repository (e.g., `project_settings.json` pointing to `~/.ssh/authorized_keys`). When the user asks the AI to edit the project settings, the AI observes the symlink and resolves it to the sensitive system file. However, due to a UI misrepresentation flaw, the AI presents a confirmation dialog to the user asking to edit the *local* file name (`project_settings.json`) rather than disclosing the *actual* target file (`~/.ssh/authorized_keys`). This leads to "Informed Consent Bypass," where the user approves a seemingly benign action that results in critical system compromise.
## Exploitation
- **Status:** PoC available; addressed by major vendors.
- **Complexity:** Medium (Requires tempting a user to open a malicious repository and execute AI commands).
- **Attack Vector:** Network (Remote via malicious repository/Social Engineering).
## Impact
- **Confidentiality:** High (Access to sensitive files like `.env`, SSH keys, or cloud credentials).
- **Integrity:** High (Ability to overwrite system configurations, `.zshrc`, or authorized keys).
- **Availability:** High (Potential for system lockout or deletion of critical scripts).
## Remediation
### Patches
- **Amazon Q Developer:** Update to **Language Server version 1.69.0** or later. AWS Language Servers typically update automatically upon IDE reload.
- **Claude Code:** Update to version **2.1.173** or later.
### Workarounds
- **Manual Verification:** Inspect repositories for unexpected symbolic links (`ls -la`) before allowing AI assistants to perform write operations.
- **Restricted Permissions:** Avoid running AI coding assistants with high-privilege users or in environments with access to sensitive SSH keys/production credentials.
- **Sandbox:** Run AI development agents inside isolated containers (e.g., Devcontainers) where a symlink cannot point to the host's actual `~/.ssh` directory.
## Detection
- **Indicators of Compromise:**
- Presence of symbolic links in cloned repositories targeting hidden files (e.g., `.ssh`, `.bashrc`, `.aws/credentials`).
- Unexpected modifications to user configuration files following an AI session.
- **Detection Methods:**
- Static analysis of repositories to flag symlinks targeting paths outside the repository root.
- Monitoring CLI tool logs for "Reasoning" steps where the LLM mentions resolving symbolic links to system paths.
## References
- **AWS Security Bulletin:** [https://aws.amazon.com/security/security-bulletins/2026-047-aws/](https://aws.amazon.com/security/security-bulletins/2026-047-aws/)
- **Wiz Research Blog:** [https://www.wiz.io/blog/ghostapproval-trust-boundary-gap-ai-coding-assistants](https://www.wiz.io/blog/ghostapproval-trust-boundary-gap-ai-coding-assistants)
- **GitHub Advisory:** [https://github.com/aws/language-servers/security/advisories/GHSA-6v3r-4p5c-mrp5](https://github.com/aws/language-servers/security/advisories/GHSA-6v3r-4p5c-mrp5)