On July 7, Wiz Research published the details of GhostApproval, a symlink trust-boundary flaw affecting six of the most widely deployed AI coding assistants: Amazon Q Developer, Claude Code, Cursor, Windsurf, Augment, and Google Antigravity. The mechanism is simple. A repository contains a file named project_settings.json that is actually a symlink pointing to ~/.ssh/authorized_keys. The developer asks their coding assistant to set up the workspace. The tool writes attacker-controlled content to the authorized keys file. The developer’s approval dialog showed them project_settings.json, a harmless filename. The agent resolved the symlink to the sensitive destination and wrote there anyway.

That is the event. Here is the more important story: the six vendors reached four different conclusions about what to do with it. Amazon, Google, and Cursor shipped fixes. Anthropic disputed that Claude Code’s behavior constitutes a vulnerability, placing it outside their stated threat model. Augment and Windsurf went quiet. One flaw, six vendors, four responses, zero consensus on whose responsibility it was.

That divergence is what GhostApproval actually proves.

The Security Model That Was Never Written Down

AI coding assistants are not tools in the traditional sense. They are agents: they take instructions in natural language, interpret intent, and execute file reads, writes, terminal commands, and repository operations on behalf of the developer. To do this work, they need real system access. That access has been granted implicitly, as a product requirement, not as a deliberately scoped security decision.

The result is a category of tools with significant file system write access, operating under trust models that no vendor has fully documented and no user has explicitly approved. The approval dialog in GhostApproval was designed to address this problem: show the developer what the agent is about to do and get informed consent before acting. GhostApproval proved the dialog can be bypassed by showing the harmless symlink name while resolving to the sensitive destination. The control meant to give users visibility into agent behavior silently failed in the exact scenario where it was most needed.

When Wiz disclosed this to six vendors, the resulting response divergence revealed that none of them had fully defined where their tool’s responsibility ended. Amazon, Google, and Cursor treated it as a vulnerability and patched. Anthropic concluded that following symlinks in a cloned repository is outside Claude Code’s stated threat model, meaning the tool operates as designed when it writes to a symlink target. Augment and Windsurf have not responded publicly. Those are not four different technical assessments of the same flaw. They are four different security contracts with users, none of which was disclosed in advance.

This matters because a user cannot make an informed decision about which tool to run on their developer machine without knowing each vendor’s threat model boundaries. Most users don’t know those boundaries exist, because they were never clearly published.

The Same Week, the Execution Layer

GhostApproval targets AI coding assistants at the developer’s machine. In the same week, Sysdig documented the conclusion of JADEPUFFER, a threat actor that ran the first confirmed autonomous AI ransomware operation via a compromised Langflow deployment.

The entry point was CVE-2025-3248, a remote code execution flaw in Langflow with an EPSS score of 0.918. After gaining access to the Langflow instance, the attacker handed control to an LLM agent. That agent performed reconnaissance, credential theft, lateral movement, privilege escalation, and encrypted 1,342 Nacos service configuration records, all without human direction, completing the full kill chain in under 20 hours. Six hundred coordinated payloads executed autonomously. No human attacker directed the operation after the initial exploit was delivered.

The two incidents target different layers of the AI toolchain: GhostApproval targets the front end, the coding assistant running on developer machines; JADEPUFFER targets the back end, the orchestration framework running production AI workloads. Both attacks exploit the same premise. These tools were given real system access, developer machines in one case and production service configurations in the other, and they were not hardened, monitored, or inventoried at the same level as the infrastructure they touch.

Security teams that have spent three years building detection coverage for production application servers often have zero visibility into what their AI agent frameworks are doing on the same network. JADEPUFFER ran 600 payloads across a production environment without triggering detection. GhostApproval would have written SSH keys to developer machines without appearing in security tooling that wasn’t explicitly watching for symlink resolution paths. These are not evasion techniques. The tools were simply never added to the inventory.

The Approval Dialog Is Not a Security Control

The deeper problem GhostApproval reveals is architectural. The approval dialog was positioned as the human-in-the-loop check that makes AI coding assistants safe to run with elevated file system access. The thinking was: if the agent must show the user what it’s about to do and get confirmation, then users retain meaningful control over agent behavior.

GhostApproval demonstrates that this reasoning has a boundary condition. The dialog shows what the agent thinks it is doing. It does not verify what the agent will actually do. When a symlink is involved, those two things diverge, and the human approves based on false information. The control that was supposed to prevent unauthorized writes to sensitive locations fails in the specific scenario where an attacker has prepared the repository to exploit it.

This is not a flaw unique to symlinks. It is a general problem with approval-dialog-as-security-control: the dialog reflects the agent’s interpretation, not an independent verification of the operation’s actual effect. Any gap between those two things is an attack surface.

The four PraisonAI advisories filed in the same week point in the same direction from a different angle. All four share one root cause: security features, authentication, sandbox isolation, code execution controls, that silently disable themselves when not explicitly configured rather than defaulting to block. The developer who deploys PraisonAI without explicitly configuring authentication gets an installation that appears to have authentication but does not. The PraisonAI sandbox appears to be active until a Landlock unavailability silently removes it. Across both GhostApproval and PraisonAI, the pattern is the same: security controls that appear present to the developer while failing operationally in the scenarios that matter.

Where This Goes

The MCP ecosystem has generated new CVEs for ten consecutive weeks. The AI rapid exploitation cluster has been tracked for eleven. This is not a spike in researcher attention that will fade once the tooling matures. It is a sustained campaign of vulnerability discovery and exploitation against a target class that the security industry has not yet caught up with.

Three things need to happen, and the current vendor response divergence suggests none of them are close.

First, vendors need to publish explicit threat model boundaries before deployment, not after a researcher discloses a flaw. Users cannot evaluate the security of tools whose attack surfaces have not been defined. The GhostApproval divergence is not a bug in vendor communication; it is evidence that these threat models were not defined internally before shipping.

Second, AI agent frameworks need to be treated as production infrastructure for patch management and monitoring purposes. CVE-2025-3248 (Langflow RCE) had an EPSS score of 0.918 when JADEPUFFER exploited it. Organizations running Langflow without monitoring it at the same urgency level as an internet-facing application server made a category error about what kind of asset they were operating.

Third, repository trust policies need to be explicit. Every AI coding assistant connecting to third-party or untrusted repositories is running under an implicit trust model that GhostApproval proved can be exploited from a single crafted symlink in a repository the developer has never reviewed. The controls that exist for dependency trust, for code review, for third-party package evaluation, need to extend to the repositories that AI coding assistants are authorized to operate in.

For Amazon Q Developer, Cursor, and Google Antigravity users, the patch is available. For Augment and Windsurf users, restriction to trusted repositories is the operative control until patches ship. For Langflow and adjacent AI orchestration deployments including LangGraph, PraisonAI, and Open WebUI: patch to current vendor versions, isolate from public internet access, and audit production service configurations for unauthorized changes.

The agent approved it anyway. The question now is whether defenders will treat that as a product-level bug or as a signal about the category.


Security Unlocked publishes weekly threat intelligence and strategic analysis. This post is based on intelligence collected July 6-12, 2026.