Amazon Q Developer Flaw (CVE-2026-12957) Lets Malicious Repos Steal AWS Credentials

A high-severity vulnerability in Amazon Q Developer turned a cloned Git repository into a tool for stealing developer credentials. The path was short: an attacker plants a malicious repo, a developer clones it, agrees to trust the workspace when prompted, and Amazon Q runs the attacker's commands with the developer's full cloud session attached. No password prompt, no second sign-in.

Tracked as CVE-2026-12957 (CVSS 8.5), the bug was found and reported by Wiz Research, which disclosed it to Amazon on April 20 and saw a fix on May 12, ahead of the June 26 public write-up. Amazon has patched it. There is no known in-the-wild exploitation; CISA's ADP entry lists it as none.

Where the trust boundary broke

The flaw lived in Language Servers for AWS (aws/language-servers), the runtime that powers Amazon Q across VS Code, JetBrains, Eclipse, and Visual Studio. All four plugins bundle it, so any version shipping an older copy was exposed.

When Amazon Q loads an MCP configuration file, .amazonq/mcp.json, from the open workspace, it launches the Model Context Protocol servers defined within it. MCP servers spawn as local processes to reach databases, APIs, or build tools - so launching one means executing commands on the host. Those processes inherit the developer's full environment: AWS keys, cloud CLI tokens, API secrets, and SSH agent sockets.

Repo-carried config became an executable. A file sitting in a workspace ran arbitrary code with the developer's live cloud credentials in scope.

The proof of concept

In its PoC, Wiz had the dropped config run aws sts get-caller-identity and ship the output to an attacker-controlled server, capturing the active AWS session. From there, the blast radius is defined entirely by that developer's IAM permissions: backdoor an IAM user for persistence, reach internal services, or pivot toward production.

AWS and Wiz frame the consent step differently. Amazon's advisory says the user must trust the workspace when prompted, and CVSS rates the user interaction as passive. Wiz reported that before the fix there was no separate consent gate for the MCP servers themselves. The patch closes that gap: Amazon Q now flags an untrusted MCP server and lets the developer reject the command before it runs.

A pattern, not a one-off

Amazon Q is not the first AI coding assistant to trip over MCP trust. The bugs differ in detail but rhyme: project configuration turns into executable behavior, and the trust checks around that handoff keep failing. Claude Code (CVE-2025-59536) and Cursor (CVE-2025-54136) both had project-level MCP config that led to command execution. Windsurf (CVE-2026-30615) reached the same end via attacker-controlled content rewriting the local MCP config to register a malicious server.

Action Items

• Force all Amazon Q IDE plugins to Language Servers for AWS 1.69.0; confirm the runtime version directly rather than trusting auto-update, especially behind egress filtering.
• Treat .amazonq/mcp.json and any repo-carried agent config as untrusted input. Audit cloned repos for unexpected MCP server definitions before opening them in an AI-enabled IDE.
• Scope developer cloud credentials down. The PoC's impact tracked exactly to IAM permissions on the workstation - short-lived tokens and least-privilege roles shrink the blast radius of any agent compromise.
• Where possible, run untrusted repos in disposable dev containers with no ambient cloud credentials.