LIVE · cybersecurity feed
aihighCVE-2026-12958

Bug in top AI coding agents shows that Unix-era security headaches never really die

zeroday.news·4h ago

Security researchers have identified a significant vulnerability, termed "GhostApproval," affecting multiple widely-used AI coding assistants. This flaw allows malicious actors to trick these agents into accessing and modifying files beyond their intended sandbox environment, leading to potential remote code execution on a developer's machine. The vulnerability was discovered by Google-owned security firm Wiz.

At least six AI coding assistants are known to be affected, including Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Wiz reported the findings to all vendors. Amazon, Cursor, and Google have acknowledged the severity, classifying it as critical or high, and have since released patches. Amazon and Cursor have also issued CVE identifiers for the flaw, while Google is in the process of doing so.

However, not all vendors have responded with the same urgency. Augment and Windsurf have acknowledged the report but have not yet released patches or warned their users. Anthropic, on the other hand, dismissed the vulnerability, stating it falls "outside our threat model" and took no action.

The "GhostApproval" vulnerability leverages a classic security weakness: symbolic links (symlinks). These are essentially shortcuts that point to another file or directory. Attackers can create a malicious repository containing a symlink disguised as a legitimate configuration file. When a developer asks the AI agent to set up the workspace or follow instructions within this repository, the agent may be tricked into writing sensitive data, such as an SSH public key, to a critical system file like `~/.ssh/authorized_keys`.

Many AI coding tools incorporate sandboxes and confirmation prompts to enhance security. However, Wiz found that in this case, the confirmation dialogs presented to users often obscure the true target of the file operation. Even when the AI agent recognizes that a symlink points to a sensitive file, the user prompt may display a benign file name, preventing the user from making an informed decision.

Anthropic's response to Wiz highlighted a debate around trust boundaries. The company argued that since the user had initially trusted the directory, any subsequent malicious action within it was the user's responsibility. This stance echoes past arguments used by major tech companies to avoid issuing CVEs for certain vulnerabilities.

Wiz, however, counters that the deceptive nature of the confirmation prompts makes informed consent impossible. The user is presented with a legitimate file name, leading them to approve an action that has severe, unintended consequences. This raises a design question: should AI tools proactively protect users from deceptive workspaces, or is identifying such threats solely the user's responsibility?

While Amazon, Cursor, and Google have treated "GhostApproval" as a genuine vulnerability and implemented fixes, the differing responses from vendors underscore the challenges in securing AI-powered development tools. The lack of a universal approach to such vulnerabilities could leave developers exposed, especially as these tools become more integrated into enterprise workflows.

aivulnerabilitysymlinkremote code executioncybersecurity
← Back to latest

More News

view all →
zeroday.news · 3h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 4h ago·high

3 Ways AI Powers Service Desk Attacks and How to Prevent Them

Artificial intelligence is increasingly being used by attackers to enhance service desk attacks, particularly during employee onboarding. AI tools can create more convincing impersonations, accelerate reconnaissance for personalized attacks, and scale malicious campaigns. To counter these threats, organizations need to implement stronger identity verification methods, such as secure password delivery, biometric liveness detection, and multi-factor authentication before sensitive actions are approved.

zeroday.news · 2h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 2h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 3h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 3h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.