Symlinks Let AI Coding Agents Escape Sandboxes
New research shows AI coding assistants can follow symlinks out of their workspace and write to sensitive files, often before or without clear user consent. The UI can hide the real target path, turning human approval into a rubber stamp. Attackers can gain persistence or exfiltrate secrets via crafted repos.
AI coding assistants keep promising a tidy Human-in-the-Loop safety story: the model suggests, you approve, nothing bad happens. The GhostApproval work shows how that falls apart when classic filesystem tricks meet agent automation. The flaw is simple and old. Symbolic links redirect file operations. The assistants read project instructions, then read or write to what looks like a harmless file in the repo. Except it is a symlink pointing at something you actually care about.
Across six tools, the authors observed a category pattern: follow a symlink and you have crossed the trust boundary. That is CWE-61 at the filesystem layer and, in several tools, CWE-451 at the interface. The UI displayed the friendly project filename while the agent had already resolved the path to the sensitive target. Users thought they were approving a local change. The tool knew otherwise.
How the compromise lands
The attacker ships a repo seeded with symlinks and a README that nudges the assistant to “update configuration” or “apply fixes.” The assistant dutifully edits the named file. The OS resolves the link to, say, ~/.ssh/authorized_keys or a shell startup file. In multiple cases the assistant wrote before showing any prompt, making the prompt an undo button rather than a gate. That is how you get instant persistence or remote code execution potential on a developer workstation without any theatrics.
Two extra details matter operationally. First, the assistants often knew the canonical path but hid it in the confirmation text. If you cannot see the real target, you cannot make an informed call, and the whole Human-in-the-Loop control turns into consent theatre. Second, this is cross-vendor. Six different stacks showed variants of the same mistake, which means it is a design blind spot, not a one-off bug.
Vendor movement and scope
Several vendors rolled fixes or mitigations. Amazon Q Developer, Cursor, and Google Antigravity shipped updates; Cursor and AWS have CVEs assigned (CVE-2026-50549 and CVE-2026-12958). Augment and Windsurf acknowledged and were working on it. Anthropic initially said it sat outside their threat model, then added symlink resolution and warnings in later releases. There is some debate about whether trusting a directory implies accepting its symlinks, but the demonstrated outcomes are hard to ignore when they include silent writes and credential injection.
If you think this is too theoretical, picture the 3 a.m. version: an assistant “helpfully” patches a config, your shell profile grows a line, and your CI boxes start seeing unusual keys. No exotic prompt injection needed, just file semantics and a UI that keeps the wrong secret.