DEV Community

Achin Bansal
Achin Bansal

Posted on • Originally published at gridthegrey.com

CVE-2026-12958: GhostApproval Symlink Attack on Coding Agents

Forensic Summary

Wiz researchers disclosed GhostApproval, a symlink-based attack affecting six AI coding assistants — Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf — that allows malicious repositories to write attacker-controlled content to sensitive files such as SSH authorized_keys or shell startup scripts. The core failure is an informed-consent bypass: the agent's approval dialog names a harmless file while the write targets a sensitive one, or in some tools the write completes before any prompt appears. Three vendors have patched, two have not, and Anthropic disputes the classification as a vulnerability.


Read the full technical deep-dive on Grid the Grey: https://gridthegrey.com/posts/ghostapproval-symlink-flaw-hits-six-ai-coding-agents/

Top comments (0)