AI coding tool hole illustrates a big problem with human in the loop
Summary
GhostApproval is a vulnerability affecting six major AI coding assistants (Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf/Devin Desktop) that allows attackers to escape sandboxes (isolated, restricted environments) by tricking the AI into accessing files outside the workspace while misleading the human reviewing the action. The attack exploits symbolic links (special files that act as shortcuts to other files or directories) combined with UI misrepresentation, where the confirmation prompt shown to the user hides dangerous information so they unknowingly approve harmful file access.
Solution / Mitigation
AWS, Cursor, and Google fixed the issue promptly. Anthropic had already fixed the problem before being contacted by Wiz. Augment and Windsurf/Devin acknowledged receipt but provided no public statement on fixes.
Classification
Affected Vendors
Related Issues
Original source: https://www.csoonline.com/article/4195235/ai-coding-tool-hole-illustrates-a-big-problem-with-human-in-the-loop.html
First tracked: July 9, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 92%