Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs
A high-severity flaw in Amazon Q Developer allows malicious repositories to execute arbitrary commands and steal cloud credentials via improper handling of MCP server configurations.
A high-severity vulnerability in Amazon Q Developer, tracked as CVE-2026-12957 (CVSS 8.5), allows a malicious repository to execute arbitrary commands and steal a developer's cloud credentials. The attack path is short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has released a patch.
The bug resides in how Amazon's AI coding assistant handles Model Context Protocol (MCP) servers. Wiz Research, which discovered and reported the flaw, demonstrated that a single config file dropped in a repo was enough to go from git clone to cloud compromise.
Amazon Q reads an MCP configuration file, .amazonq/mcp.json, from the open workspace and launches the servers it defines. MCP servers are local processes that an AI assistant can spawn to reach databases, APIs, or build tools, so starting one means running commands on the machine. Those processes inherit the developer's full environment, including AWS keys, cloud CLI tokens, API secrets, and SSH agent sockets.
In its proof of concept, Wiz had the file run aws sts get-caller-identity and ship the output to an attacker server, capturing the active AWS session. What comes next depends on that developer's cloud permissions: backdoor an IAM user for persistence, reach internal services, or pivot toward production.
AWS and Wiz frame the consent step differently. Amazon's advisory says the user has to trust the workspace when prompted, and CVSS rates the user interaction as passive. Wiz reported there was no separate consent step for the MCP servers themselves before the fix. The patch closes that gap: Amazon Q now flags an untrusted MCP server and lets the developer reject the command before it runs.
The flaw lives in Language Servers for AWS, the runtime that powers Amazon Q across VS Code, JetBrains, Eclipse, and Visual Studio. All four plugins bundle it, so all four were exposed by versions that shipped an older copy. CVE-2026-12957 is fixed in Language Servers for AWS 1.65.0, but AWS's bulletin tells customers to move to 1.69.0, which also closes a second issue, CVE-2026-12958, a missing symlink check that could allow arbitrary file writes outside the workspace trust boundary.
There is no known public exploitation; CISA's ADP entry for CVE-2026-12957 lists it as none. Wiz found the flaw through research and disclosed it in coordination with Amazon, reporting it on April 20 and seeing a fix on May 12, ahead of the June 26 public write-up.
Amazon Q is not the first coding assistant to trip over MCP trust. Claude Code (CVE-2025-59536) and Cursor (CVE-2025-54136) both had project-level MCP config that led to command execution. Windsurf (CVE-2026-30615) reached the same end by a different path, with attacker-controlled content rewriting the local MCP config to register a malicious server. The convenience of letting a project folder configure an AI agent is also the attack surface.
The Register reports that Wiz demonstrated the attack by opening a booby-trapped repository, which automatically executed commands using the developer's existing AWS credentials without any user interaction beyond opening the folder and activating Amazon Q. Amazon fixed the bug in language server version 1.65.0, which should update automatically unless blocked. Wiz argues the flaw reflects a broader industry issue, noting similar workspace configuration vulnerabilities have recently surfaced in other AI coding assistants adopting MCP.
Wiz researchers disclosed that the vulnerability, tracked as CVE-2026-12957, stems from the Amazon Q extension automatically acting on configuration files without user permission, enabling malicious repositories to execute commands and steal cloud credentials. A related symbolic link handling flaw (CVE-2026-12958) was also patched. AWS fixed the issue in language server version 1.65.0 across VS Code, JetBrains, Eclipse, and Visual Studio plugins, and noted that similar problems have been identified in other AI coding tools including Claude and Cursor.
Wiz Research disclosed the vulnerabilities as CVE-2026-12957 (improper trust boundary enforcement) and CVE-2026-12958 (missing symlink validation), affecting Amazon Q Developer for VS Code, JetBrains, Eclipse, and Visual Studio, as well as Language Servers for AWS. Amazon patched the issues in Language Servers for AWS version 1.69.0, which updates automatically upon IDE reload. The disclosure also highlighted broader industry risk, noting similar auto-execution vulnerabilities recently found in Claude Code (CVE-2025-59536, CVE-2026-21852) and Windsurf (CVE-2026-30615).