AWS confirmed Tuesday it patched an authorization bypass (CWE-862) in Amazon Quick โ the BI and agentic-AI service โ that let users with admin-denied permissions reach AI chat agents anyway. Fog Security's Jason Kao reported the bug via HackerOne (report #3577145) on March 4; AWS shipped the fix to initial regions on March 11 and completed rollout March 12. Public disclosure came today after the standard coordinated-disclosure window. The bug doesn't expose cross-tenant data, but for admins trying to govern "shadow AI" usage inside their own AWS account, it broke the only control they had.
The bypass mechanics are embarrassingly simple. An admin sets custom permissions to deny Chat Agent capabilities for a user. The Quick UI dutifully hides the chat panel. But a direct HTTP request to the Chat Agent backend ("Tell me about mangoes") goes straight to the agent because the server-side authorization check that should have validated the custom-permissions deny was never written. CWE-862 ("Missing Authorization") is the most common authorization bug class precisely because it's invisible until someone bothers to probe past the UI. Post-patch the same request returns HTTP 401 with `AGENT_ACCESS_DENIED`. Scope: limited to the originating AWS account, with the default system chat agent that auto-provisions when Quick launches remaining reachable to denied users. Fog Security observed no cross-tenant data access, no privilege escalation outside the affected account.
The interesting angle isn't this one bug โ it's the pattern. Hyperscalers are shipping agentic AI products at conference speed (Amazon Quick at re:Invent, OpenAI Daybreak last week, Google Gemini Live mode), and the access-control surface for each new product is bigger than the IAM teams' review capacity. UI-only enforcement is exactly the shortcut shippers under pressure take, and admins assume "I denied this user the permission, so they can't" without thinking to test it with a direct backend call. The "shadow AI" governance problem โ enterprise IT can't actually prevent employees from using the AI features the company is also paying for โ is becoming a real procurement question. AWS patched in 8 days, which is the right pattern. But the bug shipping in the first place is the recurring problem, and it'll keep happening as more agentic services land.
Already patched on every region by March 12 โ no action needed for Quick customers beyond verifying the service shows the updated behavior. The broader builder note: if you're shipping an agentic AI product, the authorization checks need to run on every backend endpoint that touches the agent, not just on whatever UI surface lists the actions. The shadow-AI governance question is going to be a regulatory pressure point inside large orgs over the next year โ admins want enforceable deny rules, AI vendors want their features as easy to reach as possible, and these two demands aren't compatible without disciplined server-side IAM. AWS Quick's miss is the easy case (single-tenant, patched fast). The harder cases are the cross-product integrations where one service's "I'm authorized" gets trusted by another without re-verification.