Skip to content
AI Security Wire

Published

- 4 min read

By

GhostApproval: The Approval Dialog Shows the Wrong File

img of GhostApproval: The Approval Dialog Shows the Wrong File

The approval dialog is supposed to be the moment where the developer stays in control. A coding agent asks permission before it writes to something. You read what it’s asking, you click accept, and the write happens as described. That is the security contract the approval model is built on.

Wiz published research on July 8 showing that contract is broken in six of the most widely used AI coding tools. The researchers call it GhostApproval. The basic problem: show the developer a harmless-looking filename, write to a completely different file. Amazon Q Developer, Anthropic’s Claude Code, Augment, Cursor, Google Antigravity, and Windsurf are all in scope.

What Actually Happens

The attack uses a symbolic link, which is decades-old Unix functionality: a file that transparently redirects to another file elsewhere on disk. You read from it or write to it, and the operation actually happens on the target.

Wiz built a proof-of-concept malicious repository. Inside it, a file named project_settings.json was actually a symlink pointing to ~/.ssh/authorized_keys — the file that controls SSH login access to the developer’s machine. An agent asked to “update the project configuration” writes to project_settings.json, and the kernel silently redirects the write to the SSH keys file. Same technique pointed at ~/.zshrc or similar shell startup files gives the attacker persistent code execution every time the developer opens a terminal.

The approval dialog problem sits on top of this. When the agent presents the write operation for user confirmation, it shows project_settings.json. Not what project_settings.json points to. The developer sees a plausible config file, clicks accept, and their SSH authorized_keys file has just been overwritten with attacker content.

The Bit That Makes It Worse

When Wiz tested Claude Code specifically, they found something that sharpens the critique: the agent had already correctly identified the real target in its own reasoning. Internally, the model noted that project_settings.json was “actually a zsh configuration file.” That analysis didn’t make it into the confirmation dialog. The developer got the harmless-looking name; the LLM kept the accurate assessment to itself.

This is distinct from a case where the agent was fooled. The agent wasn’t fooled. The human was fooled, by a UI that filtered out the relevant safety information that was sitting in the model’s context.

Wiz gave this its own classification: CWE-451, UI misrepresentation of critical information. The symlink-following is CWE-61. Two separate failure modes, both present in most of the tested tools.

Vendor Responses

Amazon Q Developer received CVE-2026-12958 and AWS patched it in language server version 1.69.0. Cursor fixed the issue in v3.0. Google deployed a fix in May 2026 ahead of public disclosure.

Augment and Windsurf acknowledged the reports. Windsurf confirmed receipt on June 23. Neither had shipped a fix by the time Wiz published.

Anthropic’s position is that GhostApproval is outside their threat model. The reasoning: when a developer opens a project in Claude Code, they’re making a trust decision about that workspace, and the approval prompt is an additional confirmation layer. Combining workspace trust with an approval prompt is, in Anthropic’s assessment, sufficient consent, even when the prompt names the wrong file. Anthropic does not plan to ship a fix.

This follows a similar pattern to SymJack and TrustFall, the two symlink-adjacent vulnerabilities published by Adversa AI in May 2026 (covered previously). Some vendors ship fixes, some decline, and the structural conversation about what AI coding agent approval dialogs should actually be communicating continues without resolution.

The Pattern

GhostApproval is the third distinct attack against AI coding agent approval mechanisms published in 2026, alongside Friendly Fire (AI Now Institute, July 9) and the earlier Adversa research. All three share a common thread: the mechanism the tool uses to keep humans in the loop is not doing what users assume it is.

The specific mechanics differ. SymJack uses instruction files to make the agent run shell commands that follow symlinks directly. GhostApproval uses symlinks to redirect writes while displaying the wrong name. Friendly Fire uses README instructions to get agents to execute code they were auditing. The attack surface in each case is the interface between what the LLM processes and what the human approves.

For developers using AI coding assistants in agent mode: be cautious about opening repositories from sources you don’t control, and when an approval dialog appears, consider whether what’s shown describes the actual destination of the write. Until the approval dialog shows resolved symlink targets, the displayed filename is not a reliable representation of what’s about to happen on disk.

References

Frequently Asked Questions

What is GhostApproval and which AI coding tools are affected?
GhostApproval is a class of symlink vulnerability in AI coding assistants where the tool's approval dialog shows the developer one filename while the actual write goes to a different, sensitive file on disk. Wiz researchers found six tools affected: Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. The vulnerability was disclosed publicly on July 8, 2026 after a 90+ day coordinated disclosure window.
How does the GhostApproval attack work?
An attacker plants a malicious repository containing a symbolic link with an innocuous-looking name, such as project_settings.json, that actually points to a sensitive file like ~/.ssh/authorized_keys. When the AI coding agent is instructed to edit the config file, it follows the symlink and writes to the real target. The approval dialog shown to the developer names only the symlink, not the actual destination. In several tools tested by Wiz, the agent's own reasoning correctly identified the symlink target, but that information was not surfaced to the user.
Have vendors patched GhostApproval?
Vendor responses have been mixed. AWS patched Amazon Q Developer in language server 1.69.0. Cursor shipped a fix in v3.0. Google deployed a fix in May 2026. Augment acknowledged the report but has not confirmed a resolution. Windsurf acknowledged the issue on June 23, 2026 but had not resolved it by public disclosure. Anthropic declined to treat GhostApproval as a vulnerability, describing the scenario as outside their threat model given that the user has already trusted the workspace and an approval prompt is shown.