GhostApproval Vulnerability in AI Coding Agents Allows Remote Code Execution

GhostApproval Vulnerability in AI Coding Agents Allows Remote Code Execution

First seen 8 Jul 2026, 17:25 UTC TheregisterLetsdatasciencewww.wiz.io 88% similarity 57.8

Article Content

Browse articles
ThreatCluster

A vulnerability named 'GhostApproval' was discovered by Wiz, affecting six AI coding assistants, allowing attackers to trick these agents into accessing files outside their designated sandbox. The flaw can lead to remote code execution on developers' machines. Affected tools include Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Amazon, Cursor, and Google have deemed the flaw critical or high-severity and have issued fixes, while Augment and Windsurf have acknowledged the issue but have not yet patched it. Anthropic dismissed the vulnerability as 'outside our threat model.' The vulnerability exploits symlink-based path escapes, a long-standing security issue in Unix systems. While there is no evidence of active exploitation, the risk remains significant for enterprises using these AI tools.

Key Points: • GhostApproval allows AI coding agents to access unauthorized files, risking remote code execution. • Amazon, Cursor, and Google have issued fixes, while Augment, Windsurf, and Anthropic have not. • The vulnerability exploits classic symlink security issues, highlighting gaps in AI agent sandboxing.

ThreatCluster AI

Timeline

2026-06-23
CVE-2026-12958 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-06-25
CVE-2026-50549 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-07-08
GhostApproval vulnerability reported
Wiz disclosed a systematic vulnerability in AI coding agents that allows unauthorized file access, leading to remote code execution.
The Register
2026-07-08
Vendor responses to GhostApproval
Amazon, Cursor, and Google fixed the vulnerability, while Augment and Windsurf acknowledged it but haven't patched; Anthropic dismissed it.
Let's Data Science

Community

Browse all →