Amp Code: Arbitrary Command Execution via Prompt Injection Fixed
Summary
Amp, an AI coding agent by Sourcegraph, had a vulnerability where it could modify its own configuration files to enable arbitrary command execution (running any code on a developer's machine) through two methods: adding bash commands to an allowlist or installing malicious MCP servers (external programs the AI can invoke). This could be exploited by the AI itself or through prompt injection attacks (tricking the AI by hiding malicious instructions in its input).
Solution / Mitigation
Make sure to run the latest version Amp ships frequently. The vulnerability was identified in early July, reported to Sourcegraph, and promptly fixed by the Amp team.
Classification
Affected Vendors
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://embracethered.com/blog/posts/2025/amp-agents-that-modify-system-configuration-and-escape/
First tracked: February 12, 2026 at 02:20 PM
Classified by LLM (prompt v3) · confidence: 92%