Amazon Q Developer CVE-2026-12957: Patch MCP RCE Flaw

by Emma Davis
6 minutes ago

Amazon Q Developer users should update Language Servers for AWS after high-severity CVEs exposed malicious-workspace code execution and file-write risks.

AWS has published fixes for two high-severity flaws in Language Servers for AWS, the runtime behind Amazon Q Developer plugins for Visual Studio Code, JetBrains IDEs, Eclipse, and Visual Studio. The more urgent issue, CVE-2026-12957, can let a malicious workspace run commands from project configuration files after a developer opens and trusts that workspace.[1]

This is not a wormable internet bug, but it is exactly the kind of developer-workstation issue that can turn a cloned repository into a cloud-access problem. NVD rates CVE-2026-12957 as high severity, with CVSS 8.5 under CVSS v4.0 and 7.8 under CVSS v3.1, because successful exploitation can affect confidentiality, integrity, and availability on the local system.[2] Wiz, which disclosed the Amazon Q Developer MCP auto-execution path publicly on June 26, said the vulnerable behavior allowed MCP server configuration from a workspace to execute with inherited environment access, creating a route to local code execution and exposed cloud credentials.[4]

A second flaw, CVE-2026-12958, involves missing symlink validation and can allow arbitrary file writes outside the expected workspace trust boundary when a user opens a crafted workspace. NVD also rates that issue as high severity.[3] AWS says users should upgrade Language Servers for AWS to fixed versions: version 1.65.0 or later for CVE-2026-12957, and version 1.69.0 or later for CVE-2026-12958.[1]

The practical takeaway is simple: if Amazon Q Developer is installed, update the IDE plugin and confirm the bundled Language Servers for AWS are current. Treat any recently opened untrusted repository as a possible local compromise until you have checked what ran on the workstation. This risk sits in the same developer-supply-chain lane as poisoned extension and package incidents, including the Nx Console VS Code extension secret theft, the Red Hat npm Miasma credential-stealing worm, and the Mastra npm supply-chain attack.

What Amazon Q Developer users should check now

Start with version control hygiene. If a repository came from a pull request, a random proof-of-concept link, a private message, or a newly registered package maintainer, do not open it in a fully trusted IDE session until it has been reviewed. The workspace-trust prompt matters here: the AWS bulletin says CVE-2026-12957 requires the user to trust the workspace when prompted.[1] That condition lowers the blast radius, but it does not remove the risk for busy developers who routinely trust project folders to make language tooling work.

Next, check the local developer environment. Review shell history, recently modified startup files, IDE tasks, workspace configuration, MCP-related configuration, and any unexpected processes launched around the time the repository was opened. On macOS and Linux, pay special attention to files that can affect shells, Git hooks, SSH agent behavior, package-manager scripts, and local credential helpers. On Windows, review PowerShell history, scheduled tasks, startup folders, and Defender detections around the same window.

If cloud or production access was present in the environment, rotate it. That includes AWS access keys, session tokens, SSO-derived credentials, GitHub tokens, package-registry tokens, SSH keys used for deployment, and secrets loaded into terminal profiles. In AWS, review CloudTrail for unusual IAM, STS, Secrets Manager, S3, Lambda, ECR, EC2, and Organizations activity from the developer identity. The highest-priority accounts are maintainers, release engineers, platform teams, and anyone who opens third-party repositories while logged into privileged cloud profiles.

Security teams should also update onboarding rules for AI coding assistants and MCP tooling. The safer default is to open unfamiliar repositories in a disposable container or VM, with no inherited cloud credentials and no long-lived tokens in the environment. That is less convenient than opening the folder directly in VS Code, but it keeps a malicious workspace from becoming a shortcut to real infrastructure.

References

  1. AWS Security Bulletin 2026-047-AWS, “CVE-2026-12957 and CVE-2026-12958 – Issues in Language Servers for AWS and Amazon Q Developer Plugins,” published June 23, 2026. https://aws.amazon.com/security/security-bulletins/2026-047-aws/
  2. NVD, “CVE-2026-12957 Detail,” published June 23, 2026. https://nvd.nist.gov/vuln/detail/CVE-2026-12957
  3. NVD, “CVE-2026-12958 Detail,” published June 23, 2026. https://nvd.nist.gov/vuln/detail/CVE-2026-12958
  4. Wiz Research, “MCP Auto-Execution: From Git Clone to Cloud Compromise in Amazon Q VS Code Extension,” published June 26, 2026. https://www.wiz.io/blog/amazon-q-vulnerability
  5. The Hacker News, “Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs,” published June 26, 2026. https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment