A significant security flaw in Amazon Q Developer has been discovered, which could allow malicious repositories to execute commands and compromise cloud credentials. This vulnerability, identified as CVE-2026-12957 with a CVSS score of 8.5, was rooted in the way Amazon’s AI coding assistant managed Model Context Protocol (MCP) servers. The issue has since been patched by Amazon.
Understanding the Vulnerability
The flaw was discovered by Wiz Research, who reported that a single configuration file within a repository could enable an attacker to exploit this vulnerability. By opening a repository and trusting the workspace, developers inadvertently allowed Amazon Q to initiate potentially harmful processes.
These processes, referred to as MCP servers, are intended to facilitate local tasks by connecting to databases, APIs, or build tools. However, they could also inherit sensitive environment details such as AWS keys and API secrets, allowing unauthorized code execution.
Mechanics of the Exploit
Attackers could place a specially crafted MCP configuration file, .amazonq/mcp.json, in a repository. When read by Amazon Q, this file could trigger the execution of commands using the developer’s credentials. A proof of concept by Wiz demonstrated how AWS session information could be extracted and sent to an attacker-controlled server.
This type of exploit relies on the assumption that developers would trust their workspace without further verification. Although Amazon’s advisory suggests user consent is involved, Wiz pointed out that the consent process was insufficient for MCP servers prior to the patch.
Mitigation and Update Recommendations
To mitigate the risk, Amazon has released updates to the Language Servers for AWS, which support Amazon Q across multiple development environments including VS Code, JetBrains, Eclipse, and Visual Studio. Developers are urged to update to version 1.69.0 or later to ensure protection against this and other related vulnerabilities.
The latest build addresses an additional issue, CVE-2026-12958, involving a missing symlink check. Developers are advised to ensure their IDEs auto-update or manually update if network restrictions are in place.
Broader Implications and Industry Trends
Amazon Q is not alone in facing security challenges with MCP trust configurations. Similar issues have been identified in other AI coding assistants like Claude Code and Cursor, where project-level configurations led to command execution vulnerabilities. This pattern highlights the need for robust trust mechanisms in AI-driven development tools.
As the convenience of automating project configurations continues to grow, developers must remain vigilant about the security implications. Ensuring explicit confirmation before executing code from repository configurations is crucial.
The discovery and patching of this vulnerability underscore the importance of continuous security assessments and updates in protecting cloud environments from exploitation.
