Full Report
Researchers warn many AI coding assistants now execute commands from project configurations
Analysis Summary
# Vulnerability: Amazon Q RCE via Malicious MCP Configuration
## CVE Details
- **CVE ID:** CVE-2026-12957
- **CVSS Score:** 8.5 (High) [CVSS 4.0]
- **CWE:** Improper Input Validation / Unauthorized Execution of Arbitrary Commands (Specific CWE not explicitly cited in text, typically maps to CWE-78 or CWE-94)
## Affected Systems
- **Products:** Amazon Q (AI coding assistant) for Visual Studio Code.
- **Versions:** Language server versions prior to 1.65.0.
- **Configurations:** Systems where Amazon Q is activated and used to open a repository containing a specialized configuration folder (`.amazonq/`).
## Vulnerability Description
The vulnerability stems from the way Amazon Q handles the **Model Context Protocol (MCP)**. MCP allows AI assistants to launch local processes to interact with local tools. Amazon Q was found to automatically load and execute commands defined in a repository's `.amazonq/mcp.json` file without user consent or a "workspace trust" check. When a developer opens a malicious repository and activates the extension, the AI assistant executes the attacker-defined commands within the developer's local environment.
## Exploitation
- **Status:** PoC available (Demonstrated by Wiz researchers).
- **Complexity:** Low (Requires only that the victim opens a folder and activates the extension).
- **Attack Vector:** Local/Network (Technically local execution triggered by remote-sourced content in a Git repository).
## Impact
- **Confidentiality:** High (Full access to AWS credentials, API keys, authentication tokens, and SSH agent sockets).
- **Integrity:** High (Execution of arbitrary commands allows for full system compromise and unauthorized AWS actions).
- **Availability:** High (Potential for system disruption or resource deletion via credentials).
## Remediation
### Patches
- **Version 1.65.0:** Amazon has remediated this in language server version 1.65.0. This component is typically updated automatically by the IDE extension.
### Workarounds
- **Disable Automatic Updates:** Ensure that if automatic updates are disabled, the extension is manually updated immediately.
- **Avoid Untrusted Repositories:** Do not open or activate AI coding assistants in repositories from untrusted sources.
- **Review Hidden Configs:** Inspect hidden directories (like `.amazonq/`) in new repositories for suspicious JSON files before activating extension tools.
## Detection
- **Indicators of Compromise:**
- Presence of an unexpected `.amazonq/mcp.json` file in a repository.
- Unusual automated outbound network calls or AWS CLI commands originating from the developer's workstation.
- **Detection methods and tools:**
- Configuration management scans to flag automated MCP configuration files in workspace directories.
- Monitoring for unauthorized credential access by the Visual Studio Code process tree.
## References
- **Vendor Advisory:** hxxps[://]aws[.]amazon[.]com/security/security-bulletins/2026-047-aws/
- **Researcher Technical Write-up:** hxxps[://]www[.]wiz[.]io/blog/amazon-q-vulnerability