{"id":4553,"date":"2026-07-09T16:13:06","date_gmt":"2026-07-09T16:13:06","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/07\/09\/ghostapproval-flaw-featuring-decades-old-feature-found-in-six-ai-coding-tools\/"},"modified":"2026-07-09T16:13:06","modified_gmt":"2026-07-09T16:13:06","slug":"ghostapproval-flaw-featuring-decades-old-feature-found-in-six-ai-coding-tools","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/07\/09\/ghostapproval-flaw-featuring-decades-old-feature-found-in-six-ai-coding-tools\/","title":{"rendered":"GhostApproval Flaw Featuring Decades-Old Feature Found in Six AI Coding Tools"},"content":{"rendered":"<div><img data-opt-id=1280437455  fetchpriority=\"high\" decoding=\"async\" width=\"770\" height=\"330\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/07\/ghostapproval_ai_coding_agents_770x330.jpg\" class=\"attachment-large size-large wp-post-image\" alt=\"\" \/><\/div>\n<p><img data-opt-id=334085584  fetchpriority=\"high\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/07\/ghostapproval_ai_coding_agents_770x330-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail wp-post-image\" alt=\"\" \/><\/p>\n<p>A security flaw found in six popular AI coding agents can let attackers abuse a decades-old feature in Unix to trick an AI agent into giving them control of a developer\u2019s system.<\/p>\n<p>Researchers with Google-owned Wiz said the vulnerability, <a href=\"https:\/\/www.wiz.io\/blog\/ghostapproval-a-trust-boundary-gap-in-ai-coding-assistants\" target=\"_blank\" rel=\"noopener\">dubbed \u201cGhostApproval,\u201d<\/a> relies on symbolic links \u2013 or symlinks \u2013 a file system feature that has been a security problem for years and one in which a file path secretly points to another. Writing to the symlink actually means writing to the target rather than the actual intended file.<\/p>\n<p>Wiz found that the same technique \u2013 which over the years has been exploited in race conditions, package managers, and container escapes \u2013 also works with coding agents, in particular Anthropic Claude Code, Amazon Q Developer, Google Antigravity, Augment, Cursor, and Windsurf.<\/p>\n<p>A malicious repository created by a threat actor can trick a coding agent into writing to malicious files on a developer\u2019s machine or to give attackers remote code execution (RCE) capabilities.<\/p>\n<p>\u201cAny time a tool writes to a user-controlled path without resolving it first, symlinks become a weapon,\u201d Wiz security researcher Maor Dokhanian wrote in a report. \u201cWould AI agents, with their ability to read and write files autonomously, fall for the same trick? We were surprised when it worked. The agent happily followed a symlink pointing outside the workspace and wrote to the target file. No warning, no path resolution, no sandbox enforcement.\u201d<\/p>\n<p>A Wiz-built proof-of-concept (PoC) proved it out, Dokhanian wrote.<\/p>\n<h3>Targeting AI Coding Assistants<\/h3>\n<p>The vendor\u2019s findings come more than a month after researchers with Adversa AI, which offers a platform that provides continuous AI red teaming, <a href=\"https:\/\/adversa.ai\/blog\/the-approval-prompt-is-lying-to-you-symlink-rce-in-five-ai-coding-agents-claude-code-cursor-antigravity-copilot-grok-build\/\" target=\"_blank\" rel=\"noopener\">wrote about the flaw<\/a>, which they termed \u201cSymJacking.\u201d<\/p>\n<p>The vendor similarly built a PoC and came away with similar findings, finding the technique worked against Claude Code, Gemini CLI\/Antigravity CLI, Cursor Agent CLI, GitHub Copilot CLI, Grok Build, and OpenAI Codex CLI.<\/p>\n<p>\u201cWe found that a booby-trapped code repository can take over a developer\u2019s workstation through their AI coding assistant, with the developer approving only what appears to be a harmless video file copy,\u201d wrote Rony Utevsky, security research engineer with Adversa AI. \u201cWe call this class of attack SymJack, for the symlink hijack at its core: the developer approves what the prompt shows, the kernel writes somewhere else.\u201d<\/p>\n<p>Both illustrate the ongoing security issues that come with AI coding assistants. They are given wide access to privileged and sensitive information but often can\u2019t discern between trusted instructions and untrusted data. Given the rapidly expanding use of coding agents \u2013 a report by CodeSignal found that <a href=\"https:\/\/codesignal.com\/report-developers-and-ai-coding-assistant-trends\/#adoption\" target=\"_blank\" rel=\"noopener\">81% of developers surveyed are using them<\/a>, with 49% doing so every day \u2013 it opens organizations up to <a href=\"https:\/\/devops.com\/mozilla-shows-the-danger-of-indirect-prompt-injections-in-ai-coding-agents\/\" target=\"_blank\" rel=\"noopener\">indirect prompt injections<\/a> and other such threats.<\/p>\n<h3>\u2018A Category-Level Blind Spot\u2019<\/h3>\n<p>According to Wiz\u2019s Dokhanian, the fact that the GhostApproval technique worked on six major AI coding assistants showed that \u201cthis wasn\u2019t about one vendor\u2019s mistake. It was a category-level blind spot across AI coding tools.\u201d<\/p>\n<p>In their PoC, Wiz researchers created a malicious repository. When the victim clones the repository and asks the coding tool to create a workspace or follow a README, the agent takes in the instructions and writes the attacker\u2019s SSH public key to the victim\u2019s authorized key. This can occur quickly enough that it\u2019s done before the user is asked for confirmation.<\/p>\n<p>When that\u2019s done, the bad actor has persistent SSH access to the developer\u2019s computer.<\/p>\n<h3>Cracks in the Defenses<\/h3>\n<p>A key problem is that many of the coding agents have sandboxes or confirmation dialogs aimed at preventing such an attack, creating a human-in-the-loop environment in which the user is asked for permission before the agent acts. However, the UI doesn\u2019t always show the true target.<\/p>\n<p>In addition, in testing Claude Code, the agent itself can detect the malicious file, but the confirmation prompt simply asks, \u201cMake this edit to project_settings.json?\u201d<\/p>\n<p>\u201cThe agent knew,\u201d Dokhanian wrote. \u201cThe user didn\u2019t. This transforms a sandbox bypass into an informed consent bypass \u2013 the user approves what they believe is a harmless local edit, while the agent modifies\u201d the malicious file.<\/p>\n<h3>Anthropic Balks<\/h3>\n<p>Wiz reported its findings to all six vendors, with Amazon Web Services, Cursor, and Google fixing the issue. Two others, Augment and Windsurf, have fixes in the works. Anthropic initially rejected the finding, writing that it \u201cfalls outside of our current threat model,\u201d noting that with Claude Code, the user must confirm their trust in the directory before starting the session.<\/p>\n<p>That said, current Claude Code versions now warn users before writing to sensitive files, Dokhanian wrote. In a subsequent note to Wiz, Anthropic said the symlink warning shipped in v2.1.32 in February, several days before Wiz submitted its report to the vendor, and was done based on an internal review.<\/p>\n<h3>A Matter of Trust<\/h3>\n<p>He added that it becomes an issue of design philosophy, with the question being whether the tool should protect users from deceptive workspaces, or is it up to the user to recognize the malicious workspace.<\/p>\n<p>\u201cThe Human-in-the-Loop security model only works if the loop provides accurate information,\u201d Dokhanian wrote. \u201cWhen an agent shows one thing and does another, user approval becomes meaningless. The confirmation dialog transforms from a security control into a formality.\u201d<\/p>\n<p>He called it a \u201ccategory-level design question\u201d that the AI coding industry hasn\u2019t adequately addressed, which is a concern given how vendors are competing to get their tools with expanding autonomous capabilities to developers.<\/p>\n<p>\u201cThe trust boundaries between user, agent, and filesystem need clearer definition,\u201d he said.<\/p>\n<p><a href=\"https:\/\/devops.com\/ghostapproval-flaw-featuring-decades-old-feature-found-in-six-ai-coding-tools\/\" target=\"_blank\" class=\"feedzy-rss-link-icon\">Read More<\/a><\/p>\n<p>\u200b<\/p>","protected":false},"excerpt":{"rendered":"<p>A security flaw found in six popular AI coding agents can let attackers abuse a decades-old feature in Unix to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4554,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4553","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4553","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4553"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4553\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4554"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4553"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}