AI coding agents expose GhostApproval sandbox bypass

For practitioners, GhostApproval is a reminder that agent autonomy increases the attack surface where decades-old filesystem tricks still work, making sandboxing and approval flows critical controls to re-evaluate. Reported facts: The Register reports that Google-owned security company Wiz discovered a vulnerability it named "GhostApproval" that can trick AI coding assistants into accessing files outside a workspace sandbox and lead to remote code execution. The Register says Wiz reported the issue to six vendors. According to The Register, Amazon/AWS, Cursor, and Google deemed the flaw critical or high-severity and have fixed it, with AWS and Cursor issuing CVE trackers and Google working to do so. The Register reports Augment and Windsurf acknowledged the report but have not patched it, and Anthropic called the issue "outside our threat model."
Editorial analysis
GhostApproval highlights a recurring operational risk for teams that give code-writing agents broad filesystem or repository access. Human-in-the-loop approvals and shallow sandboxing create trust-boundary gaps that can be exploited via symlink-based path escapes long known in Unix-era security.
What happened
The Register reports that Google-owned security company Wiz found a "systematic vulnerability pattern" affecting at least six widely used AI coding assistants and named it GhostApproval. The Register says the flaw can be abused to trick agents into following symlinks to files outside the intended workspace, enabling remote code execution on the developer machine. The Register quotes Wiz researcher Maor Dokhanian: "AI coding tools are routinely granted deep access to enterprise codebases and cloud environments."
Observed vendor response
The Register reports that Amazon/AWS, Cursor, and Google treated the bug as critical or high-severity and have issued fixes; AWS and Cursor have already published CVE trackers and Google is reported to be in the process of doing so. The Register states that Augment and Windsurf acknowledged Wiz's report but had not patched at the time of publication, and that Anthropic described the issue as "outside our threat model."
Editorial analysis - technical context
Symlink resolution and strict path canonicalization are basic controls that agent frameworks must enforce before performing filesystem operations. Teams integrating agents should treat these controls as part of defense-in-depth rather than optional hardening, because agent workflows typically combine decision logic with filesystem mutation.
For practitioners - what to watch
monitor vendors' CVE advisories, check whether patches alter agent permissions or introduce safer approval flows, and audit tooling that grants agents repository or local filesystem access.
Key Points
- 1Human-in-the-loop approvals can be bypassed by symlink attacks, reviving Unix-era filesystem risks for agent architectures.
- 2Coordinated disclosure led major vendors to patch quickly, but uneven responses across suppliers raise enterprise exposure windows.
- 3Teams deploying coding agents should assume sandbox escapes are possible and treat symlink resolution as a mandatory hardening control.
Scoring Rationale
This is a notable security finding affecting multiple popular coding agents; coordinated vendor fixes reduce immediate risk, but inconsistent remediation across vendors raises operational concerns for practitioners.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
