1 hour ago
20
A vulnerability in Amazon’s AI-powered coding assistant, Amazon Q Developer, allowed attackers to steal cloud credentials simply by tricking a developer into opening a poisoned code repository. The flaw, tracked as CVE-2026-12957, carries a CVSS score of 8.5 out of 10.
Wiz Research, the security firm that discovered the bug, found that the Amazon Q Developer extension for IDEs like Visual Studio Code would automatically load and execute Model Context Protocol (MCP) server configurations without asking the developer’s permission first. Open a malicious repo, and hidden commands run silently in the background with full access to your environment variables, including your AWS credentials.
How the attack works
The exploit is elegant in its simplicity. An attacker places a single .amazonq/mcp.json file inside a code repository. When an unsuspecting developer clones and opens that repo in their IDE with the Amazon Q Developer extension installed, the MCP configuration file runs automatically.
Those commands don’t run in some sandboxed environment. They inherit the developer’s complete set of environment variables. For anyone working with AWS, that typically includes access keys, session tokens, and region configurations. The result is silent data exfiltration with no pop-up warnings, no permission dialogs, and no indication that anything happened at all.
Timeline and patch details
Wiz reported the vulnerability to Amazon on April 20, 2026. Amazon released an initial patch on May 12, 2026, in Language Servers for AWS version 1.65.0. Public disclosure followed on June 26, 2026, giving organizations roughly six weeks to update before the details went public.
Amazon has recommended that users upgrade to version 1.69.0 for more comprehensive protection. That later version also addresses a related vulnerability, CVE-2026-12958, which involves symlink validation issues in MCP configurations.
No instances of public exploitation have been recorded so far.
A pattern, not an isolated incident
Similar flaws have been reported around the same time for other AI coding tools, including Claude Code, Cursor, and Windsurf. The common thread is MCP, the Model Context Protocol that AI coding assistants use to connect with external tools and data sources. When an AI coding tool automatically loads configuration files from a repository, it implicitly trusts whatever the repository author put there.
For developers and organizations using AWS, the immediate action is straightforward: update your Amazon Q Developer extension to at least version 1.65.0, ideally version 1.69.0. Organizations running cloud workloads should also audit whether any of their developers may have opened unfamiliar repositories while the vulnerable extension was active. Rotating AWS credentials as a precaution is advisable given that the exploit leaves no visible trace.
The CVSS score of 8.5 puts this squarely in the “high severity” category. For context, a score above 9.0 is considered critical, and anything above 7.0 demands prompt attention.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
English (US) ·