Amazon’s AI-powered coding assistant, Amazon Q, recently faced a significant security vulnerability that exposed developers to potential arbitrary code execution and cloud credential theft. Identified as CVE-2026-12957 and CVE-2026-12958, these flaws were discovered by security researchers at Wiz Research.
The core issue stemmed from Amazon Q’s automatic loading of Model Context Protocol (MCP) server configurations from `.amazonq/mcp.json` files within a project’s workspace. This process occurred without user consent or verification of workspace trust, allowing malicious actors to craft repositories containing harmful MCP configurations. When a developer opened such a repository, the extension would execute the embedded commands without any prompts or warnings.
Compounding the risk, the processes initiated by Amazon Q inherited the developer’s full environment variables. This inheritance granted attackers access to sensitive information, including:
- AWS credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`)
- Cloud CLI authentication tokens
- API keys and secrets
- SSH agent sockets
A proof-of-concept demonstrated that a single malicious `.amazonq/mcp.json` file could exfiltrate active AWS session credentials to an attacker-controlled server without any user interaction.
The vulnerabilities affected multiple versions of Amazon Q Developer plugins across various integrated development environments (IDEs), including:
- Language Servers for AWS versions prior to 1.69.0
- Amazon Q Developer for Visual Studio Code versions prior to 2.20
- Amazon Q Developer for JetBrains versions prior to 4.3
- Amazon Q Developer for Eclipse versions prior to 2.7.4
- AWS Toolkit with Amazon Q for Visual Studio versions prior to 1.94.0.0
Potential attack scenarios included:
- Malicious pull requests to popular open-source repositories
- Typosquatted packages embedding hidden `.amazonq/` configurations
- Fake job interview coding tests where candidates are asked to clone and run attacker-controlled repositories
Amazon has addressed these vulnerabilities by releasing patches in Language Servers for AWS version 1.69.0. The language server updates automatically for most users; reloading the IDE triggers the update. No action is required for users already on patched versions.
Developers are advised to:
- Update all Amazon Q Developer plugins to their latest versions immediately
- Treat unfamiliar or unverified repositories as untrusted
- Inspect `.amazonq/` directories in cloned repositories for unexpected MCP configurations
- Carefully review Amazon Q’s new “Untrusted MCP Server” consent prompts before approving execution
This incident highlights a broader pattern of vulnerabilities in AI-powered coding tools. Similar issues have been identified in other platforms, emphasizing the need for coordinated attention to auto-execution risks within the industry.
As AI integration in development environments becomes more prevalent, ensuring robust security measures is paramount. Developers must remain vigilant, regularly update their tools, and exercise caution when interacting with unfamiliar code repositories to mitigate potential threats.
