The Vulnerability and Attack Vector
A high severity flaw in Amazon Q Developer, tracked as CVE-2026-12957 with a CVSS score of 8.5, allowed a malicious repository to execute arbitrary commands and steal a developer’s cloud credentials. Researchers at Wiz discovered that the AI coding assistant automatically read an MCP configuration file named .amazonq/mcp.json from an open workspace and launched the servers defined in it. Because MCP servers run as local processes with the developer’s full environment, they had access to AWS keys, cloud CLI tokens, API secrets, and SSH agent sockets. This meant that simply cloning a repository and trusting the workspace could lead to running attacker controlled commands with the active cloud session attached, requiring no additional password or sign-in.
Impact and Remediation
The flaw affected Language Servers for AWS, the runtime used by Amazon Q across Visual Studio Code, JetBrains, Eclipse, and Visual Studio IDE plugins. Amazon has released a fix in version 1.65.0 of Language Servers for AWS, though the company recommends updating to version 1.69.0 which also addresses a related symlink issue (CVE-2026-12958). The patched plugin minimums are VS Code 2.20, JetBrains 4.3, Eclipse 2.7.4.0, and Visual Studio toolkit 1.94.0.0. Amazon Q now flags untrusted MCP servers and requires explicit user consent before commands execute. CISA reports no known public exploitation of this vulnerability.
Source: The Hacker News

