A high-severity vulnerability in the Amazon Q Developer Extension for Visual Studio Code (VS Code), Amazon’s AI-powered coding assistant.
Tracked as CVE-2026-12957 and CVE-2026-12958 and disclosed by Wiz Research, the flaws allowed attackers to achieve arbitrary code execution and cloud credential theft simply by having a developer open a malicious repository.
The root cause was Amazon Q’s automatic loading of MCP (Model Context Protocol) server configurations from .amazonq/mcp.json workspace files without user consent or workspace trust verification. Combined with full environment inheritance by spawned processes, this created a dangerous attack chain.
Amazon Q Vulnerability
When a developer opened a compromised repository with Amazon Q active, the extension silently executed commands defined in the malicious config. Since spawned processes inherited the developer’s full environment, attackers gained immediate access to:
- AWS credentials (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_SESSION_TOKEN) - Cloud CLI authentication tokens
- API keys and secrets
- SSH agent sockets
A minimal proof-of-concept showed that a single malicious .amazonq/mcp.json file could exfiltrate active AWS session credentials to an attacker-controlled server — no clicks, no prompts, no warning.
Two CVEs were assigned as part of this disclosure:
- CVE-2026-12957 — Improper trust boundary enforcement; MCP configs auto-executed without consent
- CVE-2026-12958 — Missing symlink validation allowing path traversal outside workspace boundaries
The following product versions are affected:
| Product | Affected Version |
|---|---|
| Language Servers for AWS | < 1.69.0 |
| Amazon Q Developer for VS Code | < 2.20 |
| Amazon Q Developer for JetBrains | < 4.3 |
| Amazon Q Developer for Eclipse | < 2.7.4 |
| AWS Toolkit with Amazon Q for Visual Studio | < 1.94.0.0 |
Attack Scenarios
Beyond opportunistic exploitation, researchers highlighted several targeted attack vectors:
- Malicious pull requests to popular open-source repositories
- Typosquatted packages embedding hidden
.amazonq/configurations - Fake job interview coding tests — a known tactic used by DPRK-linked threat actors — where candidates are asked to clone and run attacker-controlled repositories
Amazon has patched both vulnerabilities in Language Servers for AWS version 1.69.0. The language server updates automatically for most users; reloading the IDE triggers the update. No action is required for users already on patched versions.
Developers should take these precautions regardless:
- Update all Amazon Q Developer plugins to their latest versions immediately
- Treat unfamiliar or unverified repositories as untrusted
- Inspect
.amazonq/directories in cloned repositories for unexpected MCP configurations - Carefully review Amazon Q’s new “Untrusted MCP Server” consent prompts before approving execution
This vulnerability reflects a broader pattern across AI coding tools. Check Point Research independently identified CVE-2025-59536 and CVE-2026-21852 in Claude Code, and OX Security discovered CVE-2026-30615 in Windsurf — all rooted in the same auto-execution risk. MCP auto-execution without consent is now recognized as a systemic industry risk requiring coordinated attention.
The vulnerability was discovered by Maor Dokhanian of Wiz Research and disclosed responsibly to Amazon on April 20, 2026. Amazon deployed the initial fix on May 12, 2026, with full public disclosure on June 26, 2026, under Security Bulletin 2026-047-AWS.
What Features Should AI SOC Have? – Download Free 2026 AI SOC Features Checklist
