Augment Code A.I CyberSecurity Scoring
Augment Code
Company Information
Website:http://www.augmentcode.com
Employees number:186
Number of followers:17,831
NAICS:5112
Industry Type:Software Development
Homepage:augmentcode.com
Augment Code Risk Score (AI oriented)
Between 750 and 799
Augment CodeSoftware Development
Updated:
09/07/2026
09/07/2026
750/1000
Fair
Baa
Augment Code Global Score (TPRM)
xxxx
Augment CodeSoftware Development
Score locked

Augment CodeFair
Current Score
750Baa (FAIR)
01000
1 incidents
-3 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
753
Vulnerability
08 Jul 2026 • Augment Code
Cursor, Anthropic, Amazon Web Services, Augment, Windsurf and Google: New GhostApproval Vulnerability Affects Amazon Q, Claude Code, Cursor, and Other AI Agents
GhostApproval Vulnerability Exposes Critical Flaw in Major AI Coding Assistants
750
CRITICAL-3
ANYWINGOOAMAAUGANT1783578409
GhostApproval Vulnerability Exposes Critical Flaw in Major AI Coding Assistants
A newly identified vulnerability, dubbed GhostApproval, has revealed a systemic security flaw in six widely used AI coding assistants Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf allowing attackers to bypass human-in-the-loop (HITL) safety controls and potentially achieve remote code execution on developers' machines.
Discovered by Wiz researchers, the exploit leverages symbolic link following (CWE-61), a technique historically used in Docker escapes and privilege escalation attacks but now repurposed to target AI coding tools. The attack is deceptively simple: an attacker crafts a malicious repository containing a symlink (e.g., project_settings.json → ~/.ssh/authorized_keys). When a developer clones the repo and instructs their AI assistant to "set up the workspace," the agent follows the symlink, writing the attacker’s SSH public key directly to the victim’s authorized_keys file, granting persistent, password-less access.
What makes GhostApproval particularly insidious is its UI misrepresentation layer (CWE-451). In testing, Anthropic’s Claude Code demonstrated this flaw: while the agent’s internal reasoning correctly identified the symlink’s true target (e.g., a zsh configuration file), the user-facing prompt merely asked, "Make this edit to project_settings.json?" This discrepancy turns HITL safeguards into a false sense of security, as users unknowingly approve malicious actions.
### Vendor Responses & Patches
Three vendors issued fixes:
- Amazon Web Services (AWS) patched the issue in language server v1.69.0 (May 27, 2026, CVE-2026-12958).
- Cursor released a fix in v3.0 (June 5, 2026, CVE-2026-50549).
- Google (Antigravity) deployed a fix on May 22, 2026, though it has not yet assigned a CVE.
Augment and Windsurf acknowledged the reports but had not fully addressed the issue at the time of disclosure. Windsurf’s pre-authorization variant was especially dangerous, as the agent wrote files to disk before displaying the confirmation dialog, effectively making the prompt an "undo" rather than a security gate.
Anthropic initially rejected the report, arguing that user-trusted directories and approved prompts shifted responsibility to the end user. However, after further review, versions 2.1.173+ now resolve symlinks and warn users before writing to sensitive files a change that had been implemented in v2.1.32 (February 5, 2026) as part of internal security hardening.
### Mitigation Recommendations
Wiz researchers outlined three key defenses for AI coding tool vendors:
1. Resolve symlinks before displaying prompts always show the canonical target path.
2. Warn explicitly when resolved paths exit the workspace writes to ~/.ssh/authorized_keys should be visibly distinct from those to ./config.json.
3. Never write to disk before explicit user authorization confirmation dialogs must act as security gates, not undo mechanisms.
The vulnerability was first discovered on February 10, 2026, with vendor reports submitted between February 12 and March 5, 2026. Public disclosure occurred on July 8, 2026, following a 90+ day coordinated disclosure window.
GhostApproval highlights a category-level design gap in AI coding assistants, where HITL controls intended as a last line of defense can be systematically bypassed. As AI agents gain greater autonomy over developer filesystems, the integrity of these controls must be treated as a first-class security requirement.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
JUNE 2026
753
MAY 2026
753
APRIL 2026
753
MARCH 2026
753
FEBRUARY 2026
753
JANUARY 2026
753
DECEMBER 2025
753
NOVEMBER 2025
753
OCTOBER 2025
753
SEPTEMBER 2025
753
AUGUST 2025
753
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Augment Code ??
What was Augment Code's A.I Rankiteo Cyber Score in June 2026 ??
What was Augment Code's A.I Rankiteo Cyber Score in May 2026 ??
What was Augment Code's A.I Rankiteo Cyber Score in April 2026 ??
What was Augment Code's A.I Rankiteo Cyber Score in March 2026 ??
What was Augment Code's A.I Rankiteo Cyber Score in February 2026 ??
What was Augment Code's A.I Rankiteo Cyber Score in January 2026 ??
What was Augment Code's A.I Rankiteo Cyber Score in December 2025 ??
What was Augment Code's A.I Rankiteo Cyber Score in November 2025 ??
What was Augment Code's A.I Rankiteo Cyber Score in October 2025 ??
What was Augment Code's A.I Rankiteo Cyber Score in September 2025 ??
What was Augment Code's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Augment Code's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Augment Code ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Augment Code's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?