Amazon’s AI-enhanced coding tool, the Amazon Q Developer Extension for Visual Studio Code, has been found to have a critical vulnerability. This flaw, identified by Wiz Research, has been assigned CVE-2026-12957 and CVE-2026-12958, highlighting significant risks of arbitrary code execution and unauthorized access to cloud credentials when developers open compromised repositories.
Understanding the Vulnerability
The main issue arises from how Amazon Q automatically loads Model Context Protocol (MCP) server configurations from workspace files without requiring user approval or verifying workspace trust. This automatic loading, combined with full environment inheritance by processes, creates a potential attack scenario.
Upon opening a compromised repository, the extension can execute commands from malicious configurations. This results in attackers gaining access to sensitive information such as AWS credentials, cloud authentication tokens, and other secrets, all without the developer’s awareness.
Implications of the Security Breach
A proof-of-concept demonstrated that a harmful .amazonq/mcp.json file could easily exfiltrate active AWS session credentials to an attacker’s server. The CVEs highlight two main issues: improper trust boundary enforcement and a lack of symlink validation, which allows unauthorized path traversal.
The affected versions include Amazon Q Developer for VS Code below version 2.20 and other related products. This vulnerability represents a larger issue across AI coding tools, with similar risks identified in other platforms such as Claude Code and Windsurf.
Preventive Measures and Recommendations
Amazon has responded by patching these vulnerabilities in the latest version of their Language Servers for AWS. Users should ensure all Amazon Q Developer plugins are up-to-date and treat unknown repositories as untrusted. It’s crucial to inspect .amazonq/ directories for unexpected configurations and review consent prompts carefully.
This vulnerability underscores a broader industry concern over the auto-execution of configurations without user consent. It calls for heightened vigilance and coordinated efforts across the software community to mitigate these risks.
Wiz Research’s Maor Dokhanian discovered the vulnerability, which was responsibly disclosed to Amazon in April 2026. Following initial fixes in May, Amazon issued full public disclosure in June 2026.
