Six of the most-used AI coding assistants share an architectural assumption so old it predates modern desktop operating systems: they will follow a symlink anywhere, including into files the developer never meant to expose. Cloud security firm Wiz disclosed the pattern on Wednesday under the name GhostApproval and called it a cross-vendor trust-boundary gap rather than a single vulnerability.
The proof-of-concept is short enough that any developer can read it. Wiz planted a symlink in a malicious repository that pointed at ~/.ssh/authorized_keys. When an AI coding agent operating inside that repo was asked to perform a routine task, it wrote through the symlink and inserted an attacker-controlled SSH key into the developer's authorized keys file. There was no approval prompt. The interactive permission gate that vendors market as their safety layer never fired. The agent believed it was writing inside the working directory.
Six products failed in the same way: Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Wiz reproduced each locally, according to the disclosure. The common thread is not shared code. It is a shared assumption that the filesystem the agent can see is the filesystem the developer trusts.
The patch landscape at disclosure was uneven. AWS shipped a fix tracked as CVE-2026-12958; Cursor's fix landed in v3.0 as CVE-2026-50549; Google patched Antigravity on May 22, with a CVE identifier still pending. Augment and Windsurf acknowledged the report but had not shipped a fix. Anthropic took a different position. The company told The Register the behavior falls outside Claude Code's threat model, on the grounds that symlink-following is documented developer behavior, and shipped symlink resolution in v2.1.173 as a defense-in-depth change rather than a security fix.
Side by side, those responses amount to an industry that has not yet decided what a coding agent is supposed to refuse. Anthropic's framing is consistent with how Claude Code is positioned: an assistant for a developer who already controls the machine, writing files inside the project tree as part of the job. The trouble is that a symlink from inside the project tree to a sensitive file outside it is exactly the boundary developers have been warned about since the 1990s. Every operating system since then has shipped mitigations such as restricted symlink scopes and Git's own blocked-path checks, none of them visible to the agent.
The unresolved question is whether the entire cohort of coding agents is operating against a trust model that no longer fits how developers work. Treating project-local commands as safe by default made sense when projects lived on a single developer's machine and dotfile directories were the developer's own. Today the project tree is cloned from strangers on the internet, and the agent acts on whatever it finds there. The Unix primitive at the center of GhostApproval is not making a comeback. It was never gone.