Amazon has fixed a high-severity security vulnerability in Amazon Q Developer that could have allowed attackers to execute malicious code on a developer’s computer through specially crafted repositories. The flaw has been assigned CVE-2026-12957 with a CVSS score of 8.5. Security researchers at Wiz discovered the issue and responsibly reported it to Amazon before the company released a security update.
The vulnerability was linked to the way Amazon Q Developer handled Model Context Protocol (MCP) server configurations. Researchers found that a malicious Git repository containing a specially prepared .amazonq/mcp.json file could trigger Amazon Q to automatically launch attacker-controlled MCP servers. If a developer opened the repository and trusted the workspace, the malicious process could begin running on the local machine.
Once the MCP server started, it inherited the developer’s existing environment and permissions. This meant it could access sensitive information already available on the system, including AWS access keys, cloud CLI tokens, API credentials, SSH agent sockets, and other secrets stored in the development environment. Attackers could potentially use these credentials to gain unauthorized access to cloud resources.
According to Amazon, developers were required to trust the workspace before the configuration could be used. However, Wiz researchers explained that there was no additional confirmation step before the configured MCP servers were launched. This allowed a malicious repository to move from a trusted workspace to command execution without clearly informing the user that external processes were about to start.
Amazon addressed the issue by changing how Amazon Q Developer handles MCP configurations. The updated version now detects untrusted MCP servers and displays a warning before allowing them to run. This gives developers the opportunity to reject suspicious commands instead of having them execute automatically after trusting the workspace.
The flaw affected the Language Servers for AWS, which powers Amazon Q Developer across multiple integrated development environments, including Visual Studio Code, JetBrains IDEs, Eclipse, and Visual Studio. Any plugin version that included the vulnerable language server could be affected, making the issue relevant across several popular development platforms.
Amazon has fixed CVE-2026-12957 in Language Servers for AWS version 1.65.0, while also recommending users upgrade to version 1.69.0. The newer release also patches another vulnerability, CVE-2026-12958, which could allow arbitrary file writes outside the trusted workspace because of a missing symbolic link validation. Developers are advised to install the latest plugin versions and reload their IDEs to receive the updated language server.
Researchers noted that there is currently no evidence of active exploitation of CVE-2026-12957 in the wild. Wiz privately disclosed the vulnerability to Amazon on April 20, 2026, and Amazon released a fix on May 12 before the issue was publicly disclosed. The incident also highlights a growing trend where project-level MCP configurations in AI coding assistants can become an attack vector, similar to previously reported security issues affecting other AI-powered development tools.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
