Amazon has patched a high-severity vulnerability in Amazon Q Developer, tracked as CVE-2026-12957, that allowed malicious repositories to execute arbitrary code and steal cloud credentials from developers. The flaw resided in how the AI coding assistant handled Model Context Protocol (MCP) configuration files, which define how the tool interacts with external services and local development resources.
Security researchers at Wiz demonstrated that a single configuration file placed inside a cloned repository—.amazonq/mcp.json—could trigger the automatic execution of attacker-defined MCP servers when a developer opened the workspace. These servers run as local processes with the same permissions and environment variables as the developer, effectively granting them access to sensitive assets such as AWS credentials, API tokens, and SSH sessions without requiring explicit authentication prompts.
Once triggered, the malicious configuration allowed attackers to run commands such as AWS identity checks and exfiltrate active cloud session data to remote servers. Depending on the victim’s permissions, this access could enable privilege escalation, persistence in cloud environments, or lateral movement into production systems. Researchers emphasized that no password theft or secondary authentication was required, as the exploit leveraged already-active developer sessions.
Although Amazon stated that users must “trust” a workspace before execution, Wiz noted that MCP servers were previously launched without a distinct approval step, creating a gap between repository trust and actual command execution. The issue has since been fixed in updated versions of the Language Servers for AWS, which now explicitly warn users before running untrusted MCP configurations.
This vulnerability is part of a broader pattern affecting AI-powered development tools, where project-level configuration files can be transformed into execution vectors. Similar issues have been observed in other AI coding assistants, highlighting an emerging class of supply chain risks where developer productivity features double as attack surfaces.
