← All stories
● Covered by 1 source Β· 1 reportHigh impact

Vulnerabilities in AI Coding Assistants Allow Code Execution via Symlinks

Aggregated by BrevFeed security Β· updated 1h ago
πŸ”– Save

Researchers identified vulnerabilities in six AI coding assistants that could allow malicious repositories to run arbitrary code on developers' machines. Exploiting symbolic links, attackers can manipulate the approval process of these tools, bypassing the user's consent and potentially leading to unauthorized access to sensitive files.

Key points

Overview of the Vulnerabilities

Wiz, a cybersecurity research firm, uncovered that six popular AI coding assistants are susceptible to a flaw they term 'GhostApproval'. This vulnerability can allow malicious code projects to gain control of a developer's machine by misleading the tools into granting file access without proper consent. The issue predominantly arises from the failure to check symbolic links (symlinks) during the approval process.

How the Attack Operates

The attackers can create a malicious repository that contains a symlink which points to sensitive files, such as the user's SSH login file. When the developer requests the tool to make changes, the assistant writes to the symlink, inadvertently allowing the attacker to insert their own SSH key into critical files. There are also variations that can modify shell startup files.

Exploiting User Consent

The breakdown occurs in the approval interface of the AI tools, which presents misleading information to the user. For instance, the confirmation box may only reference a benign file, thus misleading users into believing they are not risking sensitive information. Wiz refers to this as an informed-consent bypass. Furthermore, some tools, like Windsurf, fail to prompt user approval before performing potentially harmful actions, exacerbating the issue.

Response from Developers

As of now, three of the identified tools have provided fixes for the vulnerabilities, while two are still unpatched. Anthropic, the developer of Claude Code, disputes that this is a bug, despite Wiz's claims.

Importance of User Awareness

This research underscores the critical necessity for developers to recognize that sophisticated vulnerabilities can exploit common development tools. Developers should exercise caution and verify the actions of AI coding assistants, especially regarding file permissions and write operations.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

GitHub cursor/cursor CVE CVE-2026-129587.8 HIGH CVE CVE-2026-505499.8 CRITICAL CVE CVE-2026-129577.8 HIGH CVE CVE-2026-552008.1 HIGH CVE CVE-2026-468179.8 CRITICAL

Reporting from

Researchers identified vulnerabilities in six AI coding assistants that could allow malicious repositories to run arbitrary code on developers' machines. Exploiting symbolic links, attackers can manipulate the approval process of these tools, bypassing the user's consent and potentially leading to unauthorized access to sensitive files.