Amp Code: Arbitrary Command Execution via Prompt Injection Fixed
Summary
Amp, an AI coding agent by Sourcegraph, had a vulnerability where it could modify its own configuration files to enable arbitrary command execution (running any code on a developer's machine) through two methods: adding bash commands to an allowlist or installing malicious MCP servers (external programs the AI can invoke). This could be exploited by the AI itself or through prompt injection attacks (tricking the AI by hiding malicious instructions in its input).
Solution / Mitigation
Make sure to run the latest version Amp ships frequently. The vulnerability was identified in early July, reported to Sourcegraph, and promptly fixed by the Amp team.
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://embracethered.com/blog/posts/2025/amp-agents-that-modify-system-configuration-and-escape/
First tracked: February 12, 2026 at 02:20 PM
Classified by LLM (prompt v3) · confidence: 92%