Amazon Science A.I CyberSecurity Scoring
Amazon Science
Company Information
Website:https://www.amazon.science
Employees number:4
Number of followers:386,739
NAICS:5417
Industry Type:Research Services
Homepage:amazon.science
Amazon Science Risk Score (AI oriented)
Between 650 and 699
Amazon ScienceResearch Services
Updated:
09/07/2026
09/07/2026
680/1000
Weak
B
Amazon Science Global Score (TPRM)
xxxx
Amazon ScienceResearch Services
Score locked

Amazon ScienceWeak
Current Score
680B (WEAK)
01000
3 incidents
-24.33 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
685
Vulnerability
08 Jul 2026 • Amazon Science
Cursor, Anthropic, Amazon Web Services, Augment, Windsurf and Google: New GhostApproval Vulnerability Affects Amazon Q, Claude Code, Cursor, and Other AI Agents
GhostApproval Vulnerability Exposes Critical Flaw in Major AI Coding Assistants
680
CRITICAL-5
ANYWINGOOAMAAUGANT1783578409
GhostApproval Vulnerability Exposes Critical Flaw in Major AI Coding Assistants
A newly identified vulnerability, dubbed GhostApproval, has revealed a systemic security flaw in six widely used AI coding assistants Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf allowing attackers to bypass human-in-the-loop (HITL) safety controls and potentially achieve remote code execution on developers' machines.
Discovered by Wiz researchers, the exploit leverages symbolic link following (CWE-61), a technique historically used in Docker escapes and privilege escalation attacks but now repurposed to target AI coding tools. The attack is deceptively simple: an attacker crafts a malicious repository containing a symlink (e.g., project_settings.json → ~/.ssh/authorized_keys). When a developer clones the repo and instructs their AI assistant to "set up the workspace," the agent follows the symlink, writing the attacker’s SSH public key directly to the victim’s authorized_keys file, granting persistent, password-less access.
What makes GhostApproval particularly insidious is its UI misrepresentation layer (CWE-451). In testing, Anthropic’s Claude Code demonstrated this flaw: while the agent’s internal reasoning correctly identified the symlink’s true target (e.g., a zsh configuration file), the user-facing prompt merely asked, "Make this edit to project_settings.json?" This discrepancy turns HITL safeguards into a false sense of security, as users unknowingly approve malicious actions.
### Vendor Responses & Patches
Three vendors issued fixes:
- Amazon Web Services (AWS) patched the issue in language server v1.69.0 (May 27, 2026, CVE-2026-12958).
- Cursor released a fix in v3.0 (June 5, 2026, CVE-2026-50549).
- Google (Antigravity) deployed a fix on May 22, 2026, though it has not yet assigned a CVE.
Augment and Windsurf acknowledged the reports but had not fully addressed the issue at the time of disclosure. Windsurf’s pre-authorization variant was especially dangerous, as the agent wrote files to disk before displaying the confirmation dialog, effectively making the prompt an "undo" rather than a security gate.
Anthropic initially rejected the report, arguing that user-trusted directories and approved prompts shifted responsibility to the end user. However, after further review, versions 2.1.173+ now resolve symlinks and warn users before writing to sensitive files a change that had been implemented in v2.1.32 (February 5, 2026) as part of internal security hardening.
### Mitigation Recommendations
Wiz researchers outlined three key defenses for AI coding tool vendors:
1. Resolve symlinks before displaying prompts always show the canonical target path.
2. Warn explicitly when resolved paths exit the workspace writes to ~/.ssh/authorized_keys should be visibly distinct from those to ./config.json.
3. Never write to disk before explicit user authorization confirmation dialogs must act as security gates, not undo mechanisms.
The vulnerability was first discovered on February 10, 2026, with vendor reports submitted between February 12 and March 5, 2026. Public disclosure occurred on July 8, 2026, following a 90+ day coordinated disclosure window.
GhostApproval highlights a category-level design gap in AI coding assistants, where HITL controls intended as a last line of defense can be systematically bypassed. As AI agents gain greater autonomy over developer filesystems, the integrity of these controls must be treated as a first-class security requirement.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
JUNE 2026
684
MAY 2026
688
Vulnerability
27 May 2026 • Amazon Science
OpenAI, Anthropic, xAI and Amazon: All Major LLMs Exposed to Multi-Turn Manipulation, Warn Researchers
Multi-Turn Attacks Bypassing LLM Safety Guardrails
683
CRITICAL-5
OPEANTAMAXAI1779892138
Cisco Researchers Warn of Multi-Turn Attacks Bypassing LLM Safety Guardrails
Researchers at Cisco have uncovered a critical vulnerability in leading large language models (LLMs), demonstrating that their safety guardrails can be bypassed through multi-turn conversations. The study tested widely used models including OpenAI’s ChatGPT, Anthropic’s Claude, Google Gemini, Amazon Nova, and xAI’s Grok revealing that none were fully resistant to exploitation.
The attack method relies on prolonged, iterative dialogue, where adversaries refine prompts, adopt personas, or gradually escalate requests to circumvent built-in protections. Unlike single-prompt testing, which many organizations rely on for safety evaluations, real-world attackers persist across multiple exchanges, exposing gaps in current security benchmarks.
Key findings include:
- No model was immune to multi-turn manipulation, challenging existing AI safety assessments.
- Techniques like roleplay, ambiguity, and reframing requests proved effective in bypassing guardrails.
- Configuration matters: For example, Grok became significantly more vulnerable when "reasoning mode" was enabled.
The report highlights a disconnect between current safety evaluations and real-world threats, warning that enterprises deploying LLMs may underestimate risks. As regulators push for improved testing standards, Cisco’s research underscores the need for more robust defenses against evolving attack vectors.
INCIDENT DETAILS -
TYPE
IMPACT
REFERENCES
MAY 2026
750
Breach
04 May 2026 • Amazon Science
Amazon Web Services and Braintrust: AI evaluation startup Braintrust confirms breach, tells every customer to rotate sensitive keys
Braintrust Urges API Key Rotation After AWS Cloud Breach Exposes Customer Secrets
687
LOW-63
AMAUSE1778092688
Braintrust Urges API Key Rotation After AWS Cloud Breach Exposes Customer Secrets
AI evaluation startup Braintrust has instructed customers to revoke and replace their API keys following unauthorized access to an Amazon Web Services (AWS) cloud account containing sensitive credentials. The breach, disclosed in an email sent to customers on Monday and later posted on the company’s website, involved an AWS account storing API keys used to access cloud-based AI models.
Braintrust confirmed the incident was contained, locking down the compromised account, auditing related systems, and rotating internal secrets. While the company stated it had only identified one impacted customer and found no evidence of broader exposure, it advised all users to rotate their stored API keys as a precaution. The cause of the breach remains under investigation.
In a statement to TechCrunch, Braintrust spokesperson Martin Bergman emphasized the move was taken "out of an abundance of caution," noting no evidence of a confirmed breach at the time of disclosure. The startup, which provides a platform for monitoring AI models and raised $80 million in a February funding round valuing it at $800 million, positions itself as an "operating system for engineers building AI software."
Cybersecurity experts warn the incident could have downstream effects for affected customers, particularly AI companies reliant on Braintrust’s infrastructure. Similar breaches, such as the 2023 attack on CircleCI, have demonstrated how compromised cloud accounts can expose API keys, allowing attackers to impersonate legitimate users and access systems without direct infiltration. Recent high-profile incidents, including a 2024 breach of an AWS account tied to the European Commission that exposed 92GB of data, underscore the growing threat of cloud-based credential theft.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
APRIL 2026
750
MARCH 2026
750
FEBRUARY 2026
750
JANUARY 2026
750
DECEMBER 2025
749
NOVEMBER 2025
749
OCTOBER 2025
749
SEPTEMBER 2025
749
AUGUST 2025
749
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Amazon Science ??
What was Amazon Science's A.I Rankiteo Cyber Score in June 2026 ??
What was Amazon Science's A.I Rankiteo Cyber Score in May 2026 ??
What was Amazon Science's A.I Rankiteo Cyber Score in April 2026 ??
What was Amazon Science's A.I Rankiteo Cyber Score in March 2026 ??
What was Amazon Science's A.I Rankiteo Cyber Score in February 2026 ??
What was Amazon Science's A.I Rankiteo Cyber Score in January 2026 ??
What was Amazon Science's A.I Rankiteo Cyber Score in December 2025 ??
What was Amazon Science's A.I Rankiteo Cyber Score in November 2025 ??
What was Amazon Science's A.I Rankiteo Cyber Score in October 2025 ??
What was Amazon Science's A.I Rankiteo Cyber Score in September 2025 ??
What was Amazon Science's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Amazon Science's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Amazon Science ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Amazon Science's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?