
Every AI coding agent with filesystem write access asks you, at some point, to approve an edit. That approval prompt is the whole safety model — it’s the one moment a human is supposed to catch something the agent got wrong before it happens. Wiz Research’s July 8 disclosure of a vulnerability class it calls GhostApproval shows what happens when the model reasons its way to the right answer internally, and the UI shows you a different one anyway. Six agents were affected, including Claude Code. The most interesting part isn’t the bug — it’s how Anthropic responded to being told about it.
How the Attack Works#
The mechanics are old-school Unix, repackaged for an agent that trusts its own tool outputs a little too much. A malicious repository ships a symbolic link disguised as an ordinary project file — say, project_settings.json — that actually points somewhere sensitive: ~/.ssh/authorized_keys, a shell profile, a CI credentials file, anything writable outside the project sandbox. When a prompt-injected instruction (buried in a README, an issue, or a config comment) tells the agent to “update the config file,” the agent follows the symlink and writes to the real target.
That alone is CWE-61, symlink following — a known, decades-old class of bug. What makes GhostApproval distinct is the second half: CWE-451, UI misrepresentation. Wiz found that in at least one traced session, Claude Code’s own internal reasoning correctly identified the danger — flagging internally that “this is a symbolic link to the Claude settings file” — and then surfaced a permission prompt to the user reading something like “Make this edit to project_settings.json?” The agent knew. The user wasn’t told. Consent was requested for a decoy, not for the action actually about to happen.
Six products were confirmed vulnerable: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. That’s a wide enough spread to make this a category flaw in how agentic coding tools build consent UIs generally, not a bug specific to one vendor’s implementation — a useful corrective for anyone tempted to read this as a Claude Code-specific story rather than an industry-wide one.
The Disclosure Timeline — and Anthropic’s First Answer#
Wiz discovered the issue February 10, 2026, and submitted the report to Anthropic on February 14. Anthropic acknowledged receipt the next day and rejected it. The company’s stated reasoning, quoted directly in Wiz’s writeup:
“This falls outside our current threat model. When the user first starts Claude Code in a directory, they must confirm that they trust the directory prior to starting the session. The scenario you describe involves a user explicitly confirming a permission prompt inside of a directory containing a malicious symlink, which falls outside of the Claude Code threat model.”
Read narrowly, that’s not an unreasonable position — Claude Code’s directory-trust gate is a real control, and “the user already trusted this folder” is a legitimate boundary to draw somewhere. But it sidesteps the actual finding: the complaint was never that a symlink exists in a trusted directory. It’s that the specific permission prompt the trust model relies on to catch a subsequent dangerous action was showing false information. Trusting a directory at session start and being asked to approve a discrete file edit later are two different consent events, and GhostApproval breaks the second one regardless of how well the first one worked.
Nine days before that rejection landed — February 5, in v2.1.32 — Claude Code had shipped symlink resolution and warnings as part of a routine release. It would be a tidy story if that fix quietly resolved Wiz’s report before Anthropic even formally rejected it. It didn’t: Anthropic later clarified the change was “proactive security hardening based on internal review,” unconnected to Wiz’s submission, which was still five months from public disclosure at that point. Two unrelated teams inside the same security space, working the same class of problem, past each other. Wiz went public July 8, roughly five months after first contact — a considerably longer responsible-disclosure runway than most researchers grant before going public, and long enough that it’s fair to ask what changed in the interim across all six vendors, not just Anthropic.
Why “Outside the Threat Model” Is the Wrong Instinct Here#
This blog has been consistently pro-Claude Code on architecture — terminal-native execution, explicit sandboxing primitives like sandbox.credentials, and a faster patch cadence than the IDE-embedded competition are real, structural advantages, not marketing. That case gets harder to make cleanly when the first response to a well-formed report is to define the problem out of scope rather than fix the specific UI lie being described. “The user trusted the directory” is true and irrelevant; “the confirmation dialog said something false” is the actual finding, and it doesn’t stop being true just because it happens after a trust boundary the user already crossed.
The good news is structural, not rhetorical: Claude Code’s sandbox.credentials model — which blocks agent commands from reading credential files and secret environment variables outright, rather than relying on a human to correctly parse a filename in a dialog box — is exactly the right shape of fix for this entire vulnerability class, because it doesn’t depend on the UI telling the truth. It’s a resource-level control instead of a presentation-level one. Whether Anthropic extends that model to cover write targets the way it already covers credential reads is the thing worth watching, not the wording of the initial rejection.
The Pattern This Fits#
GhostApproval is the third distinct agentic-coding security disclosure in as many weeks: SymJack and TrustFall (Adversa AI, symlink hijacks and one-click .mcp.json trust-dialog RCEs across six agents) and GuardFall (Adversa AI again, shell-guard bypasses in 10 of 11 open-source agents) both landed in the past three weeks, and both share GhostApproval’s core theme: the safety control that’s supposed to stop the bad thing is real, present, and shipping — and it’s the presentation layer between the agent’s reasoning and the human’s understanding that keeps breaking. Command-string blocklists get bypassed by bash rewriting. Trust dialogs get bypassed by symlink resolution happening after the filename is already rendered. The industry keeps building consent UIs that assume the string shown to the user and the resource actually touched are the same thing. They increasingly aren’t.
For teams running any of the six affected agents against untrusted or third-party repositories, the practical mitigation today is unglamorous: treat symlinks in cloned repos as hostile by default, and don’t extend directory-level trust decisions to cover every file operation that follows — a resource-scoped credential guard, not a one-time folder prompt, is the control that actually holds.
Sources:
- Wiz Research: GhostApproval — A Trust Boundary Gap in AI Coding Assistants
- The Hacker News: GhostApproval Symlink Flaws
- The Register: Bug in Top AI Coding Agents Shows Unix-Era Security Headaches Never Really Die
- SecurityWeek: AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique
