High-Severity Flaw in Amazon Q Developer Patched
A high-severity vulnerability in Amazon Q Developer, tracked as CVE-2026-12957, could have allowed attackers to execute commands and steal developers' cloud credentials through malicious repositories. The flaw, which has been patched by Amazon, exploited the way the AI coding assistant handled Model Context Protocol (MCP) servers.
How the Vulnerability Worked
The vulnerability was discovered by Wiz Research, which demonstrated that a single configuration file (.amazonq/mcp.json) placed in a repository could enable an attacker to run arbitrary code on a developer's machine. When Amazon Q read this file, it launched MCP servers defined within it, which inherited the developer's full environment, including AWS keys, cloud CLI tokens, API secrets, and SSH agent sockets.
In a proof of concept, Wiz showed how the file could execute the aws sts get-caller-identity command and send the output to an attacker's server, capturing the active AWS session. Depending on the developer's cloud permissions, this could lead to further compromises, such as backdooring an IAM user, accessing internal services, or pivoting to production environments.
Patch and Mitigation
Amazon has addressed the vulnerability in Language Servers for AWS version 1.65.0, but users are advised to update to version 1.69.0, which also fixes a second issue (CVE-2026-12958). The updated versions include a prompt that allows developers to reject untrusted MCP servers before commands are executed.
Developers using affected IDE plugins, including VS Code, JetBrains, Eclipse, and Visual Studio, are urged to update to the following minimum versions:
- VS Code: 2.20 or later
- JetBrains: 4.3 or later
- Eclipse: 2.7.4 or later
- Visual Studio toolkit: 1.94.0.0 or later
The language server auto-updates unless blocked by network settings, and reloading the IDE will apply the latest build. There is no known public exploitation of the vulnerability.
Industry Trends and Implications
This vulnerability is part of a broader pattern affecting AI coding assistants. Similar issues have been reported in tools like Claude Code and Cursor, where project-level MCP configurations led to command execution. The convenience of allowing project folders to configure AI agents often introduces security risks, as untrusted input can be turned into executable behavior.
The incident underscores the need for explicit consent mechanisms when turning configuration files into running processes, especially in environments with sensitive cloud credentials.
Conclusion
While Amazon has swiftly patched the vulnerability, the incident highlights the growing security challenges in AI-driven developer tools. Developers are encouraged to stay vigilant and ensure their tools are up to date to mitigate such risks.