Full Report
By automatically loading MCP servers from workspace files, Amazon Q enabled attackers to execute code and access sensitive cloud environments.
Analysis Summary
# Vulnerability: Amazon Q RCE via MCP Auto-Execution
## CVE Details
- **CVE ID:** CVE-2026-12957
- **CVSS Score:** High (Specific numerical score not provided in text)
- **CWE:** CWE-94 (Improper Control of Generation of Code / Code Injection)
## Affected Systems
- **Products:** Amazon Q VS Code Extension
- **Versions:** Language server versions prior to June 2026 (Fix confirmed in latest updates)
- **Configurations:** Systems where the Amazon Q extension is active and a user opens a workspace containing malicious configuration files.
## Vulnerability Description
The vulnerability stems from the Amazon Q extension's automated handling of the **Model Context Protocol (MCP)**. MCP is designed to allow AI agents to connect to external tools and data sources.
The extension was configured to automatically discover and load MCP servers defined within workspace files (such as local configuration files). When a user opened a project folder, Amazon Q would execute the specified MCP server commands without explicit user consent or "trusted workspace" verification. An attacker could embed malicious shell commands within these workspace configuration files, leading to Remote Code Execution (RCE) in the context of the VS Code process.
## Exploitation
- **Status:** PoC developed by Wiz Research; potential for exploitation via "Git Clone" attacks.
- **Complexity:** Low
- **Attack Vector:** Local/Network (Social engineering via malicious repository or shared workspace).
## Impact
- **Confidentiality:** High (Access to source code, environment variables, and cloud credentials stored in the IDE/CLI).
- **Integrity:** High (Ability to modify local files or execute arbitrary commands).
- **Availability:** High (Potential to disrupt local development environment).
## Remediation
### Patches
- **Update Amazon Q Extension:** Users should update their VS Code extension to the latest version. AWS has modified the behavior to prevent automatic loading of MCP servers from untrusted sources.
### Workarounds
- **Disable MCP Features:** If updates cannot be applied, manually disable MCP server integrations in the extension settings.
- **Workspace Trust:** Only open workspaces from trusted sources and ensure VS Code's "Workspace Trust" feature is strictly enforced.
## Detection
- **Indicators of Compromise:**
- Unexpected processes spawned by the IDE or the Amazon Q language server.
- Presence of unrecognized MCP configuration files (e.g., `mcp-servers.json` or unique workspace-level configs) containing executable scripts or network calls.
- **Detection Methods:** Monitor process execution logs for shell commands originating from the VS Code extension sub-processes.
## References
- **Wiz Research Blog:** hxxps[://]www[.]wiz[.]io/blog/mcp-auto-execution-amazon-q-vscode-vulnerability
- **Amazon Q Extension:** hxxps[://]marketplace[.]visualstudio[.]com/items?itemName=Amazon.amazon-q-vscode