Full Report
If a setting fails in the forest and nobody hears it ...
Analysis Summary
# Vulnerability: Amazon Quick AI Chat Agent Authorization Bypass
## CVE Details
- **CVE ID**: Not Assigned (AWS classified severity as "None" and did not issue a formal CVE or advisory).
- **CVSS Score**: N/A (AWS internal assessment: 0.0 / None).
- **CWE**: CWE-863: Incorrect Authorization.
## Affected Systems
- **Products**: Amazon Quick (formerly known as QuickSight / Quick Suite).
- **Versions**: All versions prior to the March 12, 2026, patch.
- **Configurations**: Instances where administrators used "Custom Permissions" to restrict or deny access to AI Chat Agents.
## Vulnerability Description
A flaw existed in the Amazon Quick API where server-side validation was missing for AI Chat Agent requests. While the Quick management console (UI) correctly respected "Custom Permissions" by hiding the chat interface from unauthorized users, the underlying API remained exposed.
Authenticated users within an AWS account could bypass the UI restrictions by sending direct HTTP requests to the chat agent endpoint. This allowed unauthorized users to query the AI agent, which is integrated with sensitive business data sources (Slack, Microsoft Teams, Outlook, CRMs, and databases).
## Exploitation
- **Status**: PoC available (demonstrated by Fog Security); logic confirmed by AWS.
- **Complexity**: Low (requires knowledge of the API endpoint).
- **Attack Vector**: Network (Authenticated). The attacker must be a valid user within the AWS account but does not require administrative privileges.
## Impact
- **Confidentiality**: High (Unauthorized access to "grounded" business data via AI queries).
- **Integrity**: Low (Chat agents are typically read-only, but logic may vary).
- **Availability**: None.
## Remediation
### Patches
- **AWS Managed Fix**: AWS deployed a server-side fix between **March 11 and March 12, 2026**. As this is a SaaS product, no customer action is required to apply the patch.
### Workarounds
- No temporary workarounds were provided prior to the patch, as "Custom Permissions" were the only available mechanism to control these specific AI features.
## Detection
- **Indicators of Compromise**: No specific IOCs provided. Customers would need to review CloudTrail or application-level logs for `Invoke` or `Chat` API calls to the Quick service from users who were intended to be restricted.
- **Detection methods**: AWS claims that no customers were actively using the "Admin Control" capability (Custom Permissions) at the time of discovery, suggesting that their internal telemetry showed no exploitation in the wild.
## References
- **Fog Security Blog**: hxxps[://]www[.]fogsecurity[.]io/blog/authorization-bypass-in-amazon-quick-ai-agents
- **AWS Statement**: No formal advisory published; communicated via media response.