ctipilot.ch
← Back to the live brief
NOTABLECVE-2026-12958 +1vulnerability

GhostApproval (CVE-2026-12958, CVE-2026-50549) — symlink + confirmation-UI misrepresentation lets a malicious repo write outside six AI coding assistants' workspace sandbox

discovered 2026-07-09 04:32 UTCrun 2026-07-09T0409Z-intel3 sourcesmulti-source

Wiz Research published GhostApproval on 8 July, a systematic vulnerability pattern combining CWE-61 (symbolic-link following) with CWE-451 (UI misrepresentation of critical information) found, in varying severity, across six AI coding assistants: Amazon Q Developer, Cursor, Google Antigravity, Augment, Cognition Labs' Windsurf and Anthropic's Claude Code (Wiz Research, 2026-07-08). A malicious repository plants a symlink inside the workspace that resolves to a sensitive path outside it — e.g. a file named project_settings.json that is actually a link to ~/.ssh/authorized_keys — then a README or prompt instructs the agent to "update" the file. In several tools the agent's own reasoning identifies the true target, yet the confirmation dialog still shows the harmless in-workspace name, so the user rubber-stamps a write to the real target, enabling persistent passwordless SSH access or other host compromise. Windsurf exhibited a pre-authorization write — the file was modified on disk before the Accept/Reject buttons even rendered, making the prompt an "undo" button rather than a gate.

AWS assigned CVE-2026-12958 (missing symlink validation in Language Servers for AWS, CVSS 8.5, fixed in language-servers 1.69.0 / @aws/lsp-codewhisperer 0.0.117) and Cursor assigned CVE-2026-50549 (sandbox escape via symlink + failed path canonicalization, fixed in Cursor 3.0), both confirming arbitrary out-of-workspace file write as the impact (AWS GHSA-6v3r-4p5c-mrp5, 2026-06-23; Cursor GHSA-3v8f-48vw-3mjx, 2026-06-05). Google fixed Antigravity (CVE pending at publication). Augment and Windsurf acknowledged the report but were still testable-vulnerable at disclosure (Wiz Research, 2026-07-08). Anthropic assessed the report as outside its threat model for Claude Code — its stated rationale is that a user who starts a session in a directory has already extended trust to it — while noting it had shipped a symlink warning in the Edit/Write permission dialog in v2.1.32 (5 Feb 2026) as unrelated proactive hardening (Wiz Research, 2026-07-08). Mapped to T1195.002 Compromise Software Supply Chain, T1222 File and Directory Permissions Modification (via symlink) and T1552.004 Unsecured Credentials (authorized_keys write).

The user approves what they believe is a harmless local edit; the agent writes to a sensitive file outside of the project workspace.

Wiz Research 2026-07-08

Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary.

AWS GitHub Security Advisory (GHSA-6v3r-4p5c-mrp5) 2026-06-23

A malicious agent could write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution.

Cursor GitHub Security Advisory (GHSA-3v8f-48vw-3mjx) 2026-06-05

Defender actions

  • Patch AWS language-servers to ≥ 1.69.0 (@aws/lsp-codewhisperer ≥ 0.0.117) and Cursor to ≥ 3.0 now; for Augment and Windsurf, restrict use against untrusted/external repositories until a fix ships.
  • Alert on any AI-coding-assistant agent process writing to credential/dotfile paths (~/.ssh/*, shell rc files, cloud-credential files) and on git-clone operations that create symlinks resolving outside the repository root.
PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.