Bug in top AI coding agents shows that Unix-era security headaches never really die

Bug in top AI coding agents shows that Unix-era security headaches never really die

Bug in top AI coding agents shows that Unix-era security headaches never really die

https://www.theregister.com/security/2026/07/08/bug-in-top-ai-coding-agents-shows-that-unix-era-security-headaches-never-really-die/5268025

Publish Date: 2026-07-08 10:00:00

Source Domain: www.theregister.com

UPDATED A “systematic vulnerability pattern” in at least six of the most widely used AI coding assistants can be abused to trick agents into accessing files outside the workspace sandbox, leading to remote code execution on the developer’s machine.

Google-owned security biz Wiz found the security gap, which it’s named “GhostApproval,” and reported it to all six: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. 

Amazon, Cursor, and Google deemed the flaw critical or high-severity, fixed it, and either already issued (AWS and Cursor) a CVE tracker or are in the process of getting that done (Google). 

Augment and Windsurf acknowledged the Wiz-submitted vulnerability report, but haven’t patched the issue or warned users. 

In the race to ship autonomous features, trust-boundary gaps emerge between users, AI agents, and local filesystems. Classic security principles – like resolving symlinks before acting on paths – cannot be overlooked as we embrace new AI architectures

Anthropic eventually added a warning as part of “proactive security hardening based on internal review.”

While there’s no indication that this vulnerability is being actively exploited by attackers in the wild, it’s still a serious threat to enterprises rushing to deploy code-writing agents in their environments.

“AI coding tools are routinely granted deep access to enterprise codebases and cloud environments,” Wiz threat researcher Maor Dokhanian told The Register. “In the race to ship autonomous features, trust-boundary gaps emerge between users, AI agents, and local filesystems. Classic security principles – like resolving symlinks before acting on paths – cannot be overlooked as we embrace new AI architectures.”

Age-old headache meets AI coding agents

The problem stems from a long-standing security headache called symbolic links, aka “symlinks”. These files…

Source