Amazon Quick Bug Let Restricted Users Access AI Chat Agents Before AWS Patch

A missing authorization check in Amazon Quick allowed restricted users to access AI Chat Agents even after administrators had blocked those features through custom permissions, according to research from Fog Security.

The issue affected Amazon Quick, AWS’s AI-focused business intelligence and workplace assistant service. Fog Security said the user interface correctly hid AI Chat Agent features from blocked users, but the backend API still accepted direct chat requests.

AWS fixed the issue in March 2026 after Fog Security reported it through the company’s vulnerability disclosure program on HackerOne. However, Fog Security said AWS did not notify customers or publish a security advisory.

What happened in Amazon Quick

Fog Security found that Amazon Quick’s AI Chat Agent restrictions were enforced in the interface, but not properly checked on the server side. This created an authorization bypass for users who already had access to the same Quick account.

In testing, the researchers configured custom permissions to block all Chat Agent features across an Amazon Quick account. They then logged in as a non-admin user and sent a direct HTTP request to the Chat Agent endpoint.

The agent responded to the prompt even though the user should have received an access denied or unauthorized response. Fog Security said this mapped to CWE-862, a missing authorization weakness.

Item	Details
Service	Amazon Quick
Affected feature	AI Chat Agents
Issue type	Missing server-side authorization
Weakness category	CWE-862
Reported by	Fog Security researcher Jason Kao
Reported to AWS	March 4, 2026
Fixed globally	March 12, 2026

Why the bug mattered

The issue mattered because custom permissions are the control Amazon Quick administrators use to limit access to specific features inside the service. In this case, that control appeared to work in the interface, but the API did not enforce the same restriction.

Fog Security said standard AWS Identity and Access Management policies, Service Control Policies, and Resource Control Policies do not govern access to Quick’s AI Chat Agent functionality. That leaves custom permission profiles as the main control for granular feature restrictions.

This created a gap for organizations trying to prevent unauthorized AI use inside the same account. A blocked user could still interact with an AI agent by sending direct backend requests, as long as they had valid access to the Quick account.

No cross-tenant access was observed

Fog Security said the bug did not allow cross-tenant access. In other words, the test did not show that one customer could access another customer’s Amazon Quick environment.

The risk stayed inside the same account. That still matters for companies that use internal access controls to separate employees, contractors, business units, or users with different compliance requirements.

AWS later said the issue was addressed in March 2026, that no customer data was at risk, and that customers did not need to take action. Fog Security disagreed with the severity handling because the bug bypassed explicit administrative controls.

How the bypass worked

Amazon Quick automatically provisions a default chat agent when the service is activated, according to Fog Security. Administrators can then use custom permissions to deny Chat Agent-related features.

Before the fix, the interface respected those restrictions by hiding or disabling access. However, the backend API still accepted direct requests from users who had been blocked through custom permissions.

Fog Security tested the issue with a harmless prompt asking the agent to explain mangoes. Before the fix, the agent returned a successful response. After AWS patched the bug, the same request returned a 401 unauthorized response.

• The user needed valid access to the same Amazon Quick account.
• The bypass targeted Chat Agent access blocked by custom permissions.
• The interface hid the feature, but the API still accepted requests.
• Fog Security observed no cross-tenant data access.
• AWS fixed the issue across production regions by March 12, 2026.

AWS response and disclosure timeline

Fog Security reported the bug to AWS on March 4, 2026 through the AWS vulnerability disclosure program on HackerOne. AWS deployed a fix to initial production regions on March 11 and completed the rollout to all production regions on March 12.

Fog Security said AWS classified the severity as “none” and did not issue customer communications or a public advisory. AWS’s vulnerability reporting page says the company publishes security bulletins when public notification applies.

After Fog Security published its findings, AWS said it appreciated the coordinated disclosure and that the issue had already been addressed. The company also said customers could contact AWS Support with questions or concerns about account security.

Date	Event
March 4, 2026	Fog Security reported the issue to AWS through HackerOne.
March 11, 2026	AWS deployed the fix to initial production regions.
March 12, 2026	AWS completed the fix across production regions.
May 12, 2026	Fog Security published details of the authorization bypass.

Why AI access controls need server-side checks

The case shows why AI features inside enterprise software need consistent authorization across every access path. Hiding a feature in the interface does not stop users if the backend API still accepts requests.

This issue becomes more important as AI assistants connect to business systems, documents, databases, CRMs, communication apps, and internal knowledge sources. Companies often restrict these tools to control shadow AI use and support compliance rules.

When an AI tool can answer questions from business data, administrators need assurance that access rules work at the API level, not only inside the interface.

What Amazon Quick administrators should review

AWS says there is no customer action required because the issue has already been fixed. Still, organizations with strict AI governance requirements may want to review whether their Amazon Quick settings matched their internal policy before the March fix.

Teams should also confirm that custom permission profiles reflect their current policy. Amazon’s documentation says Quick Enterprise edition supports custom permissions at the account, role, and user levels.

Security and compliance teams may also want to check audit trails or contact AWS Support if they need to confirm whether restricted users interacted with AI Chat Agents during the exposure window.

1. Review Amazon Quick custom permission profiles.
2. Confirm which users, roles, and accounts have AI Chat Agent access.
3. Check whether internal policies require evidence of AI access enforcement.
4. Review logs for unusual Chat Agent activity before March 12, 2026.
5. Contact AWS Support if audit or compliance teams need account-specific answers.

What this means for cloud AI security

The Amazon Quick bug highlights a common security challenge for AI-integrated cloud services. New AI features often reach users quickly, but access controls must cover both the interface and direct API use.

For enterprise buyers, the issue also raises a transparency question. If a cloud provider fixes a control failure without customer notification, organizations may struggle to assess historical exposure or prove compliance.

For cloud vendors, the lesson is direct. AI access controls need the same discipline as identity, data access, and administrative policy systems. When administrators block a feature, every path to that feature must enforce the restriction.

FAQ