Agents
GhostApproval: symlink flaw turns human-in-the-loop into a rubber stamp across 6 coding agents
Researchers disclosed GhostApproval in July 2026, a symlink-following flaw (CWE-61) that lets a malicious repo trick AI coding assistants into writing files outside their workspace sandbox, escalating to code execution on the developer's machine. It affects six major agents — Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf — and critically defeats the human-in-the-loop approval prompt by hiding the real write target. It's a reminder that agent sandboxes and consent UIs can be broken by decades-old filesystem tricks.
↳ Follow the thread