A flaw in Amazon Q Developer let a malicious repository run commands and expose a developer’s cloud credentials, according to a technical analysis by Wiz Research. The issue, tracked as CVE-2026-12957 with a CVSS score of 8.5, affected Amazon’s AI coding assistant before a fix was issued.
KEY FACTS
- Attack path A repo file named .amazonq/mcp.json could trigger a local MCP server when the workspace was opened and trusted.
- Impact The spawned process inherited environment data such as AWS keys, cloud tokens, API secrets and SSH agent sockets.
- Proof of concept The research showed code could run aws sts get-caller-identity and send the output to an attacker server.
- Fix Amazon Q now flags an untrusted MCP server before it runs, and AWS says users should update to Language Servers for AWS 1.69.0.
The issue was in how Amazon Q handled Model Context Protocol servers inside the workspace. Those servers are local processes that can reach databases, APIs or build tools, but starting one also meant running commands on the machine.
Wiz said there was no separate consent step for the MCP server before the fix, even though the workspace itself had to be trusted. Amazon’s advisory said the user had to trust the workspace when prompted. The flaw affected the runtime used by Amazon Q across VS Code, JetBrains, Eclipse and Visual Studio.
AWS has said the issue is fixed in Language Servers for AWS 1.65.0, while its bulletin tells customers to move to 1.69.0. That release also addresses CVE-2026-12958, a separate symlink check issue that could allow arbitrary file writes outside the workspace trust boundary.
There is no known public exploitation, and CISA’s ADP entry lists none. Wiz said it reported the problem on April 20 and saw a fix on May 12 before the public disclosure on June 26.
WHY IT MATTERS
The flaw showed how a trusted project folder can become an entry point for code execution when an AI assistant automatically turns repository settings into running processes. For developers who use cloud credentials on the same machine, that can create a path from a clone to account compromise.