GhostApproval Vulnerability Exposes AI Coding Assistants to Remote Code Execution

GhostApproval Vulnerability Exposes AI Coding Assistants to Remote Code Execution

First seen 8 Jul 2026, 17:25 UTC LetsdatascienceFeeds.4SysopsCybersecuritynewsTheregisterHeise.De+6 88% similarity 70.5

Article Content

Browse articles
ThreatCluster

A vulnerability named GhostApproval has been discovered in six major AI coding assistants, including Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. This flaw allows malicious repositories to trick AI agents into accessing files outside their designated workspaces, potentially leading to remote code execution on developers' machines. The vulnerability exploits symbolic links (symlinks) to bypass security controls, with attackers able to write sensitive data, such as SSH keys, to unauthorized locations. Wiz reported the issue, and while Amazon, Google, and Cursor have issued patches, Augment and Windsurf have not yet remediated the vulnerability. The flaw highlights significant trust boundary gaps in AI coding tools that rely on user approval for actions. Current status indicates that while some vendors have acted, others remain vulnerable, posing a risk to enterprises utilizing these tools.

Key Points: • GhostApproval affects six major AI coding assistants, leading to potential remote code execution. • The vulnerability exploits symlinks to bypass workspace sandboxes, allowing unauthorized file access. • Patches have been issued by Amazon, Google, and Cursor, but Augment and Windsurf remain unpatched.

ThreatCluster AI

Timeline

2019-05-23
CVE-2018-15664 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2021-08-03
CVE-2021-32803 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2024-01-31
CVE-2024-21626 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-02-01
GhostApproval vulnerability discovered
Wiz researchers identified the GhostApproval vulnerability affecting major AI coding assistants.
Heise.De
2026-06-23
CVE-2026-12958 published
Amazon Q Developer patched the GhostApproval vulnerability, tracking it as CVE-2026-12958.
Heise.De
2026-06-25
CVE-2026-50549 published
Cursor issued a patch for the GhostApproval vulnerability, tracking it as CVE-2026-50549.
Heise.De
2026-07-08
Vulnerability acknowledged by vendors
Augment and Windsurf acknowledged the vulnerability but have not yet issued patches.
Theregister
2026-07-09
Public disclosure of vulnerability details
Wiz published detailed findings on GhostApproval, raising awareness of the security gap.
Wiz.io

Community

Browse all →