GhostApproval: Symlink Flaw in AI Coding Assistants
GhostApproval: symlink flaw in AI coding tools (Claude Code, Cursor, Amazon Q) lets malicious repos escape sandboxes and access sensitive files.

On July 7, 2026, researchers at Noma Security disclosed GitLost, a critical vulnerability in GitHub Agentic Workflows that allows an unauthenticated attacker to leak data from an organization’s private repositories by simply posting a crafted issue in a public repository.
The attack requires no credentials, no write access, and no traditional software exploit — just the ability to open a public GitHub Issue and wait for the agent to process it.
GitHub Agentic Workflows let teams define automation in plain Markdown files that an AI agent (powered by Claude or GitHub Copilot) then executes as GitHub Actions. A common pattern is workflows that trigger on repository events such as issues.assigned, read the issue title and body, and then use tools like add-comment to respond.
Noma’s proof-of-concept showed that when such a workflow also has read access to other repositories in the same organization (a frequent configuration for cross-repo automation), an attacker can embed plain-English instructions inside a seemingly innocent public issue. The agent treats the untrusted issue content as authoritative instructions and retrieves sensitive files from private repositories, posting their contents back as a public comment.
In the published PoC, the attacker successfully caused the agent to read and expose the README from a private repository while also fetching content from public ones.
This is not a traditional vulnerability in the classical sense. It is a trust boundary failure at the intersection of event-driven automation and large language model behavior.
The core issue is simple but profound: the agent’s context window became its attack surface. Any content the agent is instructed to read — issues, pull request descriptions, file contents, or tool outputs — can contain hidden instructions that override or subvert the system’s intended behavior.
This mirrors the classic lesson from web application security: untrusted input must never be treated as trusted instructions. In agentic systems, that lesson applies to every piece of data that enters the agent’s context.
Key architectural implications include:
issues.assigned, pull_request.opened, and similar webhooks are now high-risk ingestion points when combined with AI agents.Teams using or evaluating GitHub Agentic Workflows (or similar event-driven agentic automation) should take the following steps immediately:
Apply least privilege aggressively. Scope agent permissions to the minimum repositories and actions required for the specific workflow. Avoid organization-wide or cross-repo read access unless there is a documented and reviewed justification.
Isolate untrusted input from instruction context. Treat issue titles, bodies, comments, and any user-generated content as untrusted data. Where possible, process this content through separate, non-instruction-following mechanisms before (or instead of) feeding it directly to the agent.
Add guardrails on public or high-visibility actions. Require human approval or additional policy checks before an agent can post public comments, create issues, or modify content that will be visible outside the organization.
Monitor and log agent decision traces. Record what the agent read, what instructions it followed, and what actions it took. This is essential for detection and forensic investigation of prompt injection attempts.
Red team the workflows. Include indirect prompt injection scenarios (especially via public issues and pull requests) in your regular testing of any agentic automation that touches sensitive data or has broad permissions.
GitLost is a textbook example of why prompt injection has become to agentic AI what SQL injection was to web applications: a systematic, category-wide vulnerability class rather than an edge-case problem.
As organizations increasingly deploy agents that can read from multiple sources, take autonomous actions, and operate across trust boundaries, the assumption that “our prompt will always be the most important instructions in context” breaks down. Adversaries only need to get malicious instructions into any part of the context the agent treats as input.
This incident should accelerate work on:
GitLost demonstrates that shipping powerful agentic capabilities without correspondingly strong trust boundary controls creates immediate, low-skill attack opportunities. The vulnerability was not in the underlying models but in how the system was architected to ingest and act on untrusted data.
For security teams, the takeaway is clear: every agent that can read external or user-controlled content and then take actions must be designed with the same rigor previously applied to traditional application security boundaries. The context window is the new perimeter — and right now, it is porous.
This post is based exclusively on disclosures and analysis from July 7–9, 2026.
Trent Leis
AI security consultant specializing in governance frameworks for regulated industries.
About the author →GhostApproval: symlink flaw in AI coding tools (Claude Code, Cursor, Amazon Q) lets malicious repos escape sandboxes and access sensitive files.
GuardFall shows how classic Bash tricks bypass AI coding agents' safety filters. Learn why regex guards fail and how to build resilient tool-use layers.
Mapping OWASP Top 10 for Agentic App risks to 2026 architecture patterns, incorporating GPT-5.6 over-agency findings for practical stack-level defenses.
Book a free 30-minute discovery call — no slides, just conversation.