Symlink Vulnerability in Six Coding Agents Allows Arbitrary File Access
heise Developer · July 9, 2026
curated by Heiko
Wiz researchers discovered GhostApproval, a critical flaw in Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Attackers can exploit symbolic links in malicious repositories to trick AI agents into writing arbitrary files, including SSH keys, bypassing sandbox restrictions. Patches available for most tools; Augment and Windsurf remain unpatched.
AI-generated summary (Heiko) · editorially responsible: J. Fuchs · How we use AI