A high-severity vulnerability in Amazon Q Developer allowed a malicious repository to run commands and steal a developer’s cloud credentials — all it took was cloning the repo and trusting the workspace.
Tracked as CVE-2026-12957 with a CVSS score of 8.5, the bug sat in how Amazon’s AI coding assistant handled Model Context Protocol (MCP) servers. MCP servers are local processes an AI assistant can spawn to reach databases, APIs, or build tools. That means running commands on the machine — with the developer’s full environment attached: AWS keys, cloud CLI tokens, API secrets, SSH agent sockets.
Wiz Research, which discovered the flaw, showed that a single config file — .amazonq/mcp.json — dropped in a repo was enough to go from git clone to cloud compromise. In their proof of concept, the file ran aws sts get-caller-identity and shipped the output to an attacker server, capturing the active AWS session. What comes next depends on that developer’s cloud permissions.
Amazon has patched it. The fix flags untrusted MCP servers and lets developers reject commands before they run. The vulnerability lives in Language Servers for AWS, which powers Amazon Q across VS Code, JetBrains, Eclipse, and Visual Studio — all four were affected.
Update to Language Servers for AWS 1.69.0 or later. That build also fixes a second issue, CVE-2026-12958, a missing symlink check that could allow arbitrary file writes outside the workspace trust boundary.
This isn’t an isolated case. Claude Code, Cursor, and Windsurf have all had similar issues where project-level MCP config led to command execution. The convenience of letting a project folder configure an AI agent is also the attack surface.
