GhostApproval Vulnerability in AI Coding Assistants Allows Remote Code Execution

GhostApproval Vulnerability in AI Coding Assistants Allows Remote Code Execution

First seen 8 Jul 2026, 17:25 UTC TheregisterLetsdatasciencewww.wiz.ioFeeds.4Sysops 86% similarity 70.5

Article Content

Browse articles
ThreatCluster

A vulnerability named GhostApproval has been identified in six popular AI coding assistants, including Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. This flaw exploits symbolic links (symlinks) to bypass workspace sandboxes, potentially allowing remote code execution on developers' machines. The security firm Wiz reported the issue, leading to critical fixes from Amazon, Cursor, and Google, while Augment and Windsurf have not yet patched the vulnerability. Anthropic dismissed the issue as 'outside our threat model.' The vulnerability exposes enterprises that rely on AI coding tools to significant risks, as these tools often have deep access to sensitive codebases. Although no active exploitation has been reported, the potential for abuse remains high, especially in environments rushing to deploy these technologies.

Key Points: • GhostApproval affects six major AI coding assistants, risking remote code execution. • Amazon, Cursor, and Google have issued patches, while Augment and Windsurf have not. • Anthropic rejected the vulnerability report, claiming it is outside their threat model.

ThreatCluster AI

Timeline

2019-05-23
CVE-2018-15664 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2021-08-03
CVE-2021-32803 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2024-01-31
CVE-2024-21626 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-06-23
CVE-2026-12958 published
Amazon and Cursor issued CVE trackers for the GhostApproval vulnerability after confirming its severity.
Article 2
2026-06-25
CVE-2026-50549 published
Google began the process of issuing a CVE tracker for the GhostApproval vulnerability.
Article 2
2026-07-08
GhostApproval vulnerability disclosed
Wiz announced the GhostApproval vulnerability affecting six AI coding assistants, highlighting the risk of symlink exploitation.
Article 1
Recent
Vulnerability acknowledged by vendors
Augment and Windsurf acknowledged the vulnerability report but have not yet issued patches.
Article 3

Community

Browse all →