A “systematic vulnerability pattern” in at least six of the most widely used AI coding assistants can be abused to trick agents into accessing files outside the workspace sandbox, leading to remote code execution on the developer's machine.Google-owned security biz Wiz found the security gap, which it's named "GhostApproval," and reported it to all six: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Amazon, Cursor, and Google deemed the flaw critical or high-severity, fixed it, and either already issued (AWS and Cursor) a CVE tracker or are in the process of getting that done (Google).

Augment and Windsurf acknowledged the Wiz-submitted vulnerability report, but haven’t patched the issue or warned users.

Anthropic called it “outside our threat model” and did nothing. More on that in a bit.While there’s no indication that this vulnerability is being actively exploited by attackers in the wild, it’s still a serious threat to enterprises rushing to deploy code-writing agents in their environments.“AI coding tools are routinely granted deep access to enterprise codebases and cloud environments,” Wiz threat researcher Maor Dokhanian told The Register. “In the race to ship autonomous features, trust-boundary gaps emerge between users, AI agents, and local filesystems. Classic security principles - like resolving symlinks before acting on paths - cannot be overlooked as we embrace new AI architectures.”Age-old headache meets AI coding agentsThe problem stems from a long-standing security headache called symbolic links, aka "symlinks". These files serve as a shortcut to another file or directory. They don’t actually contain data, just the file path of the target file - simple functionality that has led to a long history of attackers using them to bypass security boundaries by pointing to a target outside of an intended sphere of control, thus accessing unauthorized files.GhostApproval takes this ancient security bypass trick and applies it to AI coding agents. The attack itself is simple, and Wiz included a proof-of-concept in its technical write-up. First, the attacker creates a malicious repository:bashmkdir malicious_repo && cd malicious_repo