[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRLV7J8-2337J6rgiRu9eOV60M-BbQoUVOoTvK4T4aiI":3},{"article":4,"iocs":57},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"02eae163-571d-4166-9e20-62057ff41031","Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs","amazon-q-developer-flaw-could-let-malicious-repos-run-code-via-mcp-configs-1fc5c8","A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer's cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it. Tracked as CVE-2026-12957 (CVSS 8.5), the bug sat in how Amazon's AI coding assistant handled Model Context Protocol (MCP) servers. Wiz","A high-severity vulnerability (CVE-2026-12957, CVSS 8.5) in Amazon Q Developer allowed attackers to execute arbitrary code and exfiltrate AWS credentials through malicious Model Context Protocol (MCP) configuration files in cloned repositories. The flaw affected all four IDE plugins (VS Code, JetBrains, Eclipse, Visual Studio) and required only that a developer open a malicious repo and trust the workspace. Amazon patched the issue by implementing explicit consent prompts before launching untrusted MCP servers; the fix is available in Language Servers for AWS 1.69.0 and later.","Amazon Q Developer flaw allows malicious repos to run code and steal cloud credentials via MCP configs.","Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs Swati KhandelwalJun 26, 2026AI Security \u002F Vulnerability A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer's cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it. Tracked as CVE-2026-12957 (CVSS 8.5), the bug sat in how Amazon's AI coding assistant handled Model Context Protocol (MCP) servers. Wiz Research, which found and reported it, showed that a single config file dropped in a repo was enough to go from git clone to cloud compromise. How the attack worked Amazon Q read an MCP configuration file, .amazonq\u002Fmcp.json, from the open workspace and launched the servers it defined. MCP servers are local processes that an AI assistant can spawn to reach databases, APIs, or build tools, so starting one means running commands on the machine. Those processes inherited the developer's full environment. That usually means AWS keys, cloud CLI tokens, API secrets, and SSH agent sockets. Put the two together, and a file sitting in a cloned repo could run arbitrary code with the developer's live cloud session attached. No password, no second sign-in. In its proof of concept, Wiz had the file run aws sts get-caller-identity and ship the output to an attacker server, capturing the active AWS session. What comes next depends on that developer's cloud permissions: backdoor an IAM user for persistence, reach internal services, or pivot toward production. AWS and Wiz frame the consent step differently. Amazon's advisory says the user has to trust the workspace when prompted, and CVSS rates the user interaction as passive. Wiz reported there was no separate consent step for the MCP servers themselves before the fix. The patch closes that gap: Amazon Q now flags an untrusted MCP server and lets the developer reject the command before it runs. The flaw lives in Language Servers for AWS, the runtime that powers Amazon Q across VS Code, JetBrains, Eclipse, and Visual Studio. All four plugins bundle it, so all four were exposed by versions that shipped an older copy. What to do Update. CVE-2026-12957 is fixed in Language Servers for AWS 1.65.0, but AWS's bulletin tells customers to move to 1.69.0. That build also closes a second issue, CVE-2026-12958, a missing symlink check that could allow arbitrary file writes outside the workspace trust boundary. The patched plugin minimums: VS Code: 2.20 or later JetBrains: 4.3 or later Eclipse: 2.7.4 or later Visual Studio toolkit: 1.94.0.0 or later The language server auto-updates unless the network blocks it, and reloading the IDE pulls the latest build. There is no known public exploitation; CISA's ADP entry for CVE-2026-12957 lists it as none. Wiz found the flaw through research and disclosed it in coordination with Amazon, reporting it on April 20 and seeing a fix on May 12, ahead of the June 26 public write-up. A pattern, not a one-off Amazon Q is not the first coding assistant to trip over MCP trust. The bugs are not identical, but they rhyme: project configuration turns into executable behavior, and the trust checks around that handoff keep failing. Claude Code (CVE-2025-59536) and Cursor (CVE-2025-54136) both had project-level MCP config that led to command execution. Windsurf (CVE-2026-30615) reached the same end by a different path, with attacker-controlled content rewriting the local MCP config to register a malicious server. The convenience of letting a project folder configure an AI agent is also the attack surface. Repo-carried config is untrusted input. Turning it into a running process should take an explicit yes. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  AI Security, amazon, AWS, Cloud security, Credential Theft, Developer Tools, IDE Plugin, MCP, Supply Chain Security, Vulnerability ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Famazon-q-developer-flaw-could-let.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEig3gygt20RdznayWN2yru6wSgNt8CSdr16F8I-naxtPn837cr6v0uV0bXdhz36P1XYrpnjmzDXTAtH0wa43Me8rqD2hvET-xQP0ndoX-ddXsypZCjSSNJUqmfl69g96R6yMiUqgXE_NGAL8bl2z6lYutrgKiY74tNIafz_xRsNsJQSB9s_9lSHiybX2kQ\u002Fs1600\u002Faws.jpg","2026-06-26T13:53:00+00:00","2026-06-26T16:00:28.325865+00:00",9,[18,21,24,26,29],{"name":19,"type":20},"Amazon","vendor",{"name":22,"type":23},"Amazon Q Developer","product",{"name":25,"type":23},"Language Servers for AWS",{"name":27,"type":28},"Model Context Protocol (MCP)","technology",{"name":30,"type":20},"Wiz Research","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":31,"icon":33,"name":34,"slug":35},null,"Vulnerabilities","vulnerabilities",[37,42,47,52],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":43},{"id":44,"icon":33,"name":45,"slug":46},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":48},{"id":49,"icon":33,"name":50,"slug":51},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",{"category":53},{"id":54,"icon":33,"name":55,"slug":56},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",[58,62],{"type":59,"value":60,"context":61},"cve","CVE-2026-12957","High-severity flaw in Amazon Q Developer allowing arbitrary code execution and credential theft via malicious MCP config files",{"type":59,"value":63,"context":64},"CVE-2026-12958","Missing symlink check in Language Servers for AWS allowing arbitrary file writes outside workspace trust boundary"]