{"data":{"id":"e320edb9-ae31-449b-96c1-313853281929","title":"AI coding tool hole illustrates a big problem with human in the loop","summary":"GhostApproval is a vulnerability affecting six major AI coding assistants (Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf/Devin Desktop) that allows attackers to escape sandboxes (isolated, restricted environments) by tricking the AI into accessing files outside the workspace while misleading the human reviewing the action. The attack exploits symbolic links (special files that act as shortcuts to other files or directories) combined with UI misrepresentation, where the confirmation prompt shown to the user hides dangerous information so they unknowingly approve harmful file access.","solution":"AWS, Cursor, and Google fixed the issue promptly. Anthropic had already fixed the problem before being contacted by Wiz. Augment and Windsurf/Devin acknowledged receipt but provided no public statement on fixes.","labels":["security"],"sourceUrl":"https://www.csoonline.com/article/4195235/ai-coding-tool-hole-illustrates-a-big-problem-with-human-in-the-loop.html","publishedAt":"2026-07-09T22:55:40.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["prompt_injection","supply_chain"],"issueType":"news","affectedPackages":null,"affectedVendors":["Amazon","Anthropic","Google"],"affectedVendorsRaw":["Amazon Q Developer","Anthropic Claude Code","Augment","Cursor","Google Antigravity","Windsurf","Devin Desktop"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-07-09T22:55:40.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}