You clone a repository. You trust the workspace. Your AI coding assistant does the rest.
That's the path Wiz Research demonstrated with Amazon Q Developer. A single config file in a malicious repository was enough to go from git clone to cloud compromise. The flaw, tracked as CVE-2026-12957, carried a CVSS score of 8.5. Amazon has patched it.
The bug sat in how Amazon Q handled Model Context Protocol (MCP) servers. The path was short, the impact was severe, and the fix is now available.
How the Attack Worked
The Amazon Q Developer credential exposure flaw started with a file. Amazon Q reads an MCP configuration file from the open workspace: .amazonq/mcp.json. It launches the servers defined there.
MCP servers are local processes that an AI assistant can spawn to reach databases, APIs, or build tools. Starting one means running commands on the machine. Those processes inherit the developer's full environment.
That usually means:
1. AWS keys
2. Cloud CLI tokens
3. API secrets
4. SSH agent sockets
Put the two together, and a file sitting in a cloned repo could run arbitrary code with the developer's live cloud session attached. No password. No second sign-in.
In its proof of concept, Wiz had the file run aws sts get-caller-identity and ship the output to an attacker server. That captured the active AWS session. What comes next depends on that developer's cloud permissions: backdoor an IAM user for persistence, reach internal services, or pivot toward production.
The Consent Gap
AWS and Wiz frame the consent step differently. Amazon's advisory says the user has to trust the workspace when prompted. CVSS rates the user interaction as passive.
Wiz reported there was no separate consent step for the MCP servers themselves before the fix. The developer trusted the workspace. Amazon Q launched the servers. No additional confirmation was required.
The patch closes that gap. Amazon Q now flags an untrusted MCP server and lets the developer reject the command before it runs.
What Was Affected
The Amazon Q Developer credential exposure flaw lived in Language Servers for AWS, the runtime that powers Amazon Q across:
1. VS Code
2. JetBrains
3. Eclipse
4. Visual Studio
All four plugins bundle it. All four were exposed by versions that shipped an older copy.
The Patches
CVE-2026-12957 is fixed in Language Servers for AWS 1.65.0. AWS's bulletin tells customers to move to 1.69.0. That build also closes a second issue, CVE-2026-12958, a missing symlink check that could allow arbitrary file writes outside the workspace trust boundary.
The patched plugin minimums are:
1. VS Code: 2.20 or later
2. JetBrains: 4.3 or later
3. Eclipse: 2.7.4 or later
4. Visual Studio toolkit: 1.94.0.0 or later
The language server auto-updates unless the network blocks it. Reloading the IDE pulls the latest build.
Was This Exploited?
There is no known public exploitation. CISA's ADP entry for CVE-2026-12957 lists exploitation as none. Wiz found the flaw through research and disclosed it in coordination with Amazon.
They reported it on April 20 and saw a fix on May 12, ahead of the June 26 public write-up.
It’s a Trend, Not an Anomaly
The exposure vulnerability in Amazon Q Developer falls into the category of vulnerabilities involving a coding assistant that fails to respect MCP trust.
The issues may vary, but they seem to echo each other: from MCP configurations to executable code and trust validation around the transition fails repeatedly.
1. Claude Code (CVE-2025-59536): Configuration at the project level of the MCP allowed for execution of commands.
2. Cursor (CVE-2025-54136): The same vulnerability, however, found in a different product.
3. Windsurf (CVE-2026-30615): Content controlled by the attacker overwrote the localMCP config to register a malicious server.
The convenience of letting a project folder configure an AI agent is also the attack surface. Repo-carried config is untrusted input. Turning it into a running process should take an explicit yes.
What to Do
If you use Amazon Q Developer, update immediately. The fix is included in Language Servers for AWS 1.69.0.
1. Make sure you meet the minimum versions of your plugins mentioned above.
2. Reload your IDE to get the updated build.
3. In case if your network does not allow automatic updates, you can perform a manual update.
Going forward, be cautious when trusting workspaces from unknown repositories. The trust prompt is not permission to run arbitrary commands. It's permission to open the workspace.
The Bottom Line
The Amazon Q Developer credential exposure flaw is a textbook example of how AI assistants create new attack surfaces. A config file. A trusted workspace. A running command. A compromised session.
The fix is available. The exploit details are public. Update your plugins now.
FAQ Section
What is CVE-2026-12957?
CVE-2026-12957 is a vulnerability in Amazon Q Developer where a malicious repository could run commands and steal cloud credentials via an MCP server config file.
How does the attack work?
A developer clones a repo with a malicious .amazonq/mcp.json file. When they trust the workspace, Amazon Q launches the MCP server defined there. The server inherits the developer's cloud credentials and can exfiltrate them.
Which plugins does this vulnerability affect?
VS Code, JetBrains, Eclipse, and Visual Studio plugins are affected. All these four plugins use Language Servers for AWS.
Is there a fix for this bug?
Yes. This vulnerability is fixed in Language Servers for AWS 1.69.0. The corresponding versions of plugins are VS Code 2.20, JetBrains 4.3, Eclipse 2.7.4, and Visual Studio 1.94.0.
Were there any exploitation attempts?
There have been no reports about any exploits. This vulnerability was discovered and disclosed using coordinated disclosure at Wiz Research.
What can I do?
Make sure you update to the latest version of the plugin. If you have turned on auto-update in your IDE, kindly restart your IDE.
