Full Report
A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer's cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it. Tracked as CVE-2026-12957 (CVSS 8.5), the bug sat in how Amazon's AI coding assistant handled Model Context Protocol (MCP) servers. Wiz
Analysis Summary
# Vulnerability: Amazon Q Developer MCP Command Execution
## CVE Details
- **CVE ID:** CVE-2026-12957 (and related CVE-2026-12958)
- **CVSS Score:** 8.5 (High)
- **CWE:** Improper Input Validation / Unauthorized Command Execution
## Affected Systems
- **Products:** Amazon Q Developer (formerly AWS Chat) plugins and Language Servers for AWS.
- **Versions:** All versions of Language Servers for AWS prior to 1.65.0.
- **Configurations:** Systems where a developer opens a malicious repository and "trusts" the workspace within the IDE.
## Vulnerability Description
The flaw exists in how Amazon Q Developer handles the Model Context Protocol (MCP). The assistant automatically reads an MCP configuration file (`.amazonq/mcp.json`) located within an open workspace. This file defines local MCP servers—processes the AI uses to interact with external tools or databases.
The vulnerability allowed a malicious repository to define arbitrary commands within the `.amazonq/mcp.json` file. When the workspace was trusted, Amazon Q would spawn these processes, which then inherited the developer's environment variables, including AWS CLI tokens, IAM credentials, and SSH keys.
## Exploitation
- **Status:** PoC available (developed by Wiz Research); no known exploitation in the wild.
- **Complexity:** Low (requires only a crafted JSON file in a repository).
- **Attack Vector:** Local (requires a user to clone/open a repository and trust the workspace).
## Impact
- **Confidentiality:** High (Theft of AWS credentials, environment variables, and cloud session tokens).
- **Integrity:** High (Arbitrary command execution on the local machine and potential for cloud resource manipulation).
- **Availability:** High (Potential for local or cloud-based service disruption).
## Remediation
### Patches
AWS recommends updating "Language Servers for AWS" to **version 1.69.0** or later to address both this issue and a secondary symlink flaw (CVE-2026-12958). Minimum plugin versions:
- **VS Code:** 2.20 or later
- **JetBrains:** 4.3 or later
- **Eclipse:** 2.7.4 or later
- **Visual Studio Toolkit:** 1.94.0.0 or later
### Workarounds
- Do not "Trust" workspaces or repositories from unknown or unverified sources.
- Disable MCP server functionality if not actively required for development.
## Detection
- **Indicators of Compromise:** Presence of unexpected `.amazonq/mcp.json` files in cloned repositories; unusual `aws sts get-caller-identity` calls or outbound traffic to unknown IP addresses originating from IDE processes.
- **Detection Methods:** Audit IDE plugin versions; monitor for the creation of unexpected subprocesses by the Java/Node/Python runtimes associated with Amazon Q.
## References
- **AWS Security Bulletin:** hxxps://aws.amazon.com/security/security-bulletins/2026-047-aws/
- **Wiz Research Blog:** hxxps://www.wiz.io/blog/amazon-q-vulnerability
- **AWS Language Servers Advisory:** hxxps://github.com/aws/language-servers/security/advisories/GHSA-xhcr-j4j9-3gh7