A critical vulnerability in Amazon Q Developer, identified as CVE-2026-12957 with a CVSS score of 8.5, allowed malicious repositories to execute arbitrary code on developers’ machines, potentially leading to the theft of cloud credentials. This flaw resided in the handling of Model Context Protocol (MCP) servers by Amazon’s AI coding assistant.
Amazon Q Developer is an AI-powered coding assistant integrated into popular Integrated Development Environments (IDEs) such as Visual Studio Code, JetBrains, Eclipse, and Visual Studio. It enhances developer productivity by providing intelligent code suggestions and automating routine tasks. MCP servers are local processes that the assistant can spawn to interact with databases, APIs, or build tools, thereby streamlining development workflows.
The vulnerability was discovered by Wiz Research, who demonstrated that a specially crafted configuration file, .amazonq/mcp.json, placed within a repository could trigger the execution of arbitrary commands upon opening the project in a trusted workspace. This execution occurred without additional user consent, inheriting the developer’s environment variables, including sensitive AWS credentials, cloud CLI tokens, API secrets, and SSH agent sockets.
In a proof-of-concept, Wiz Research showed that the malicious configuration could run commands like aws sts get-caller-identity to capture the active AWS session and transmit it to an attacker-controlled server. Depending on the developer’s cloud permissions, this could enable attackers to establish persistent access, reach internal services, or pivot towards production environments.
Amazon addressed this issue by releasing an updated version of the Language Servers for AWS, which powers Amazon Q across various IDEs. The fix, included in version 1.65.0 and later, introduces a prompt that alerts developers to untrusted MCP servers, allowing them to reject potentially harmful commands before execution. Users are advised to update to the following minimum versions to mitigate the risk:
- Visual Studio Code: 2.20 or later
- JetBrains: 4.3 or later
- Eclipse: 2.7.4 or later
- Visual Studio Toolkit: 1.94.0.0 or later
While there are no known instances of this vulnerability being exploited in the wild, it underscores a recurring pattern in AI-powered development tools where project-level configurations can lead to unintended code execution. Similar issues have been identified in other coding assistants, emphasizing the need for robust security measures and vigilant trust management in development environments.
As AI-driven development tools become increasingly integrated into the software development lifecycle, ensuring their security is paramount. Developers should remain cautious when importing external repositories and verify the integrity of configuration files. Regularly updating tools and plugins to their latest versions is essential to protect against emerging threats. This incident serves as a reminder of the importance of balancing convenience with security in the adoption of AI technologies in development workflows.
