A critical security flaw discovered in the Amazon Q Developer Extension for Visual Studio Code (VS Code) left developers vulnerable to arbitrary code execution and cloud credential theft.
Tracked as CVE-2026-12957 and CVE-2026-12958, these high-severity vulnerabilities highlight significant risks in how AI coding assistants manage trust boundaries.
The root cause of this vulnerability lies in how Amazon Q handled Model Context Protocol (MCP) server configurations. MCP servers operate as local processes that extend AI assistants’ capabilities to interact with APIs, databases, and local resources.
Amazon Q Developer Vulnerability
Amazon Q automatically loaded these configurations from a hidden .amazonq/mcp.json file inside workspace directories without prompting for user consent or verifying workspace trust.
Because these spawned processes automatically inherited the complete environment of the victim, they gained immediate access to sensitive data. This included AWS credentials like the access key ID, secret access key, session tokens, API keys, and SSH agent sockets.
Security researchers at Wiz demonstrated a proof-of-concept showing how a single Bash command within a malicious configuration could invoke identity commands and exfiltrate captured AWS sessions to an attacker-controlled server.
Exploiting this vulnerability required minimal user interaction. An attacker simply needed to plant a malicious configuration file inside a repository and wait for a developer to clone and open the folder in an IDE with Amazon Q active. The extension would then silently execute the embedded configuration without any warnings.
Threat actors could leverage multiple delivery vectors to distribute these poisoned repositories. Common distribution methods include typosquatted packages, malicious pull requests to popular open-source projects, and compromised dependencies.
Threat groups linked to the Democratic People’s Republic of Korea (DPRK) frequently use fake job interview coding tests as a delivery mechanism, making this a highly realistic attack scenario.
Successful exploitation could allow attackers to backdoor IAM users, establish persistence in cloud environments, or pivot into internal production systems using inherited VPN contexts.
Wiz researcher Maor Dokhanian discovered the vulnerability on April 17, 2026, and reported it to Amazon Security on April 20. Amazon deployed an initial language server update on May 12, followed by public disclosure on June 26, 2026.
The two distinct CVEs address improper trust boundary enforcement (CVE-2026-12957) and missing symlink validation (CVE-2026-12958). Developers must ensure their environments are updated past the following vulnerable plugin versions:
| Product | Vulnerable Version |
|---|---|
| Language Servers for AWS | < 1.69.0 |
| Amazon Q Developer for VS Code | < 2.20 |
| Amazon Q Developer for JetBrains | < 4.3 |
| Amazon Q Developer for Eclipse | < 2.7.4 |
| AWS Toolkit with Amazon Q for Visual Studio | < 1.94.0.0 |
The AWS language server updates automatically in most configurations, meaning a simple IDE reload triggers the patch. Developers should routinely audit workspace directories for unexpected .amazonq/ folders and treat all unfamiliar repositories as highly untrusted.
This incident is part of a broader trend of MCP auto-execution flaws affecting the AI development ecosystem. Similar vulnerabilities were recently disclosed in Claude Code (CVE-2025-59536, CVE-2026-21852), Cursor (CVE-2025-54136), and Windsurf (CVE-2026-30615).
These compounding disclosures strongly indicate that the cybersecurity industry must standardize workspace configuration trust as a foundational requirement for all AI-assisted development tools.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
