HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

AI Coding Assistants Can Be Tricked into Overwriting Sensitive Files via Fake Approval Prompts

Wiz researchers showed that six AI coding assistants can be duped into writing to privileged files like SSH keys while showing a harmless‑file name in the approval dialog. The flaw highlights a control‑gap that SOC 2 audits must evidence, emphasizing the need for path‑validation and continuous monitoring.

LiveThreat™ Intelligence · 📅 July 10, 2026· 📰 databreachtoday.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
2 recommended
📰
Source
databreachtoday.com

AI Coding Assistants Can Be Tricked into Overwriting Sensitive Files via Fake Approval Prompts

What Happened — Researchers at Wiz demonstrated that six popular AI‑driven coding assistants (Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf) can be deceived into writing to privileged files such as ~/.ssh/authorized_keys while displaying an approval dialog that references a harmless‑looking file. The attack leverages Unix symbolic links (symlinks) and a UI mismatch where the agent’s internal reasoning knows the true target but the confirmation prompt does not.

Why It Matters for Compliance & Audit Readiness

  • The flaw bypasses the Access Control principle that SOC 2 Trust Services Criteria require: “Logical access to system components is restricted to authorized users and processes.”
  • Mis‑aligned UI prompts create a gap in Change Management evidence, making it difficult to prove that only approved changes were applied—a key audit artifact.
  • Continuous control monitoring can surface such path‑validation failures early, providing defensible evidence that your organization enforces “least‑privilege” and “secure development” controls.

Who Is Affected – SaaS AI coding tool vendors, development teams in technology, fintech, and any organization that integrates AI assistants into CI/CD pipelines.

Recommended Actions

  • Map the symlink‑validation failure to the SOC 2 CC6.1 – Change Management and CC7.1 – Least‑Privilege Access controls in your compliance framework.
  • Deploy automated file‑path validation and integrity checks as part of your CI/CD pipeline; capture logs as continuous audit evidence.
  • Conduct a focused security‑awareness session for developers on the risks of AI‑generated code modifications.

Source: DataBreachToday

Technical Notes – The attack exploits the Unix symlink feature; no CVE is assigned yet. Affected tools wrote to the target file before or after showing a deceptive approval dialog. Data at risk includes SSH private keys and shell startup scripts, which could grant persistent, password‑free access.

📰 Original Source
https://www.databreachtoday.com/ai-coding-tools-fake-approval-prompts-a-32193

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →