Security researchers at **Wiz Research** have uncovered a high-severity flaw in **Amazon Q Developer**, **Amazon's** AI-powered coding assistant, that could have led to cloud credential compromise. The vulnerability, identified as **CVE-2026-12957** (CVSS 8.5), centered on the assistant's handling of Model Context Protocol (MCP) servers. ### The Attack Vector The attack path was alarmingly straightforward: a developer would clone and open a malicious repository, trust the workspace, and **Amazon Q** would inadvertently facilitate the compromise. According to **Wiz Research**, a single configuration file within a repository was sufficient to transition from a `git clone` operation to a full cloud compromise. The core of the issue lay in how **Amazon Q** processed the `.amazonq/mcp.json` configuration file from an open workspace. This file defines MCP servers, which are local processes that an AI assistant can spawn to interact with databases, APIs, or build tools. By launching these defined servers, the assistant would effectively execute commands on the developer's machine. Crucially, these processes inherited the developer's complete environment, including sensitive data such as **AWS** keys, cloud CLI tokens, API secrets, and SSH agent sockets. This meant that a malicious file in a cloned repository could execute arbitrary code with the developer's live cloud session attached, bypassing traditional authentication. ### Proof of Concept and Remediation In their proof of concept, **Wiz Research** demonstrated how the malicious configuration could run `aws sts get-caller-identity` and exfiltrate the output to an attacker-controlled server, thereby capturing the active **AWS** session. The extent of the post-compromise actions would then depend on the developer's cloud permissions, ranging from backdooring **IAM** users for persistence to pivoting into internal services or production environments. While **Amazon's** advisory noted that user interaction (trusting the workspace) was a prerequisite, **Wiz Research** highlighted that, prior to the patch, there was no explicit consent step specifically for the MCP servers themselves. The subsequent fix addresses this gap, with **Amazon Q** now prompting developers to approve or reject untrusted MCP server commands before execution.  The vulnerability resided in **Language Servers for AWS**, the runtime powering **Amazon Q** across popular IDEs such as **VS Code**, **JetBrains**, **Eclipse**, and **Visual Studio**. All plugins bundling older versions of this runtime were exposed. ### Immediate Action Required Developers are strongly advised to update their **Amazon Q Developer** plugins immediately. **CVE-2026-12957** is fixed in **Language Servers for AWS 1.65.0**, but **AWS's** bulletin recommends updating to version 1.69.0 or later. This build also addresses a second issue, **CVE-2026-12958**, which involved a missing symlink check that could allow arbitrary file writes outside the workspace trust boundary. Minimum patched plugin versions are: * **VS Code**: 2.20 or later * **JetBrains**: 4.3 or later * **Eclipse**: 2.7.4 or later * **Visual Studio toolkit**: 1.94.0.0 or later The language server typically auto-updates unless blocked by network configurations. Reloading the IDE should pull the latest build. There is no known public exploitation of these vulnerabilities. **Wiz Research** discovered and reported the flaw on April 20, with **Amazon** deploying a fix by May 12, ahead of the June 26 public disclosure. ### A Recurring Trust Issue This incident is not isolated. Several other AI coding assistants have faced similar trust-related vulnerabilities involving MCP configurations. Previous instances include **Claude Code** (**CVE-2025-59536**), **Cursor** (**CVE-2025-54136**), and **Windsurf** (**CVE-2026-30615**). These cases highlight a pattern where project-level configurations, intended for convenience, become an attack surface when trust checks around executable behavior are insufficient. The fundamental takeaway remains: repository-carried configurations should be treated as untrusted input, requiring explicit user consent before triggering any executable processes.