Skip to content

Amazon Q CVE-2026-12957 MCP auto-execution

Summary

CVE-2026-12957 is a high-severity trust-boundary flaw in Language Servers for AWS, the language-server runtime bundled with Amazon Q Developer IDE plugins. Wiz Research reported that Amazon Q Developer for VS Code automatically loaded workspace MCP configuration from .amazonq/mcp.json and launched configured MCP servers without an explicit user approval step, allowing a malicious repository to execute local commands and inherit the developer's cloud-authenticated environment.

AWS published bulletin 2026-047-AWS on June 23, 2026 and credits Wiz for coordinated disclosure. AWS says Language Servers for AWS before 1.65.0 are affected by CVE-2026-12957; its bulletin also pairs the issue with CVE-2026-12958, a symlink-validation flaw before 1.69.0. Because Amazon Q IDE plugins bundle the language server, AWS recommends upgrading the relevant IDE plugins to versions that bundle Language Servers for AWS 1.69.0 or later.

Tags

Why this matters

  • This is a concrete, vendor-patched example of the broader MCP configuration-as-code-execution boundary: a file committed to a repository can become a local process launch if an AI coding assistant auto-trusts workspace configuration.
  • The dangerous blast radius is not just local code execution. MCP server processes can inherit AWS keys, SSO/CLI tokens, API keys, SSH agent sockets, repository credentials, and other secrets from the developer's shell or IDE environment.
  • The trigger path fits normal developer behavior: clone or open a repository in an IDE with Amazon Q enabled, trust the workspace when prompted, and let the extension initialize.
  • The bug reinforces that .amazonq/, .vscode/, .cursor/, .claude/, MCP registry snippets, and other assistant/editor configuration should be audited as executable supply-chain material, not passive settings.

Public vulnerability detail

  • CVE: CVE-2026-12957.
  • Primary product/runtime: Language Servers for AWS, used by Amazon Q Developer IDE plugins.
  • Affected runtime according to Wiz / GHSA: Language Servers for AWS < 1.65.0; npm package @aws/lsp-codewhisperer < 0.0.113.
  • AWS bulletin paired fix floor: Language Servers for AWS < 1.69.0 is affected by either CVE-2026-12957 or companion symlink issue CVE-2026-12958; fixed in 1.69.0 with corresponding Amazon Q plugin releases.
  • Affected plugin versions in AWS bulletin: Amazon Q Developer for VS Code < 2.20, JetBrains < 4.3, Eclipse < 2.7.4, and AWS Toolkit with Amazon Q for Visual Studio < 1.94.0.0.
  • Primitive: project/workspace configuration can define commands that are automatically executed by the language server after the workspace is opened and trusted.
  • Wiz-specific MCP path: .amazonq/mcp.json in the workspace root can define MCP servers; Amazon Q auto-loaded the file and spawned those servers with the user's environment.
  • Impact: arbitrary local code execution and potential theft of cloud / developer credentials available to the IDE process.

Attack shape

  1. Attacker publishes or sends a repository containing .amazonq/mcp.json or another project-level configuration file that defines an attacker-controlled command as an MCP server.
  2. A developer opens the repository in an IDE with Amazon Q Developer enabled and trusts the workspace when prompted.
  3. The language server reads the workspace configuration and spawns the configured command.
  4. The spawned process inherits high-value environment material such as AWS credentials, cloud CLI tokens, API keys, or SSH agent access.
  5. The payload exfiltrates credentials, validates cloud identity, modifies repositories, or pivots into cloud control planes using the developer's live session.

Defender heuristics

  1. Upgrade Amazon Q Developer plugins everywhere, with priority on developer workstations, build engineers, release managers, cloud administrators, and anyone who opens untrusted repositories. Use AWS's fixed plugin versions or later.
  2. Inventory Language Servers for AWS versions in IDE extension directories, managed developer images, devcontainers, golden AMIs, and remote development hosts; do not assume browser or IDE auto-update has completed.
  3. Hunt repositories and recent checkouts for .amazonq/mcp.json, unexpected MCP server definitions, suspicious command / args, shell interpreters, downloaders, curl/wget, cloud CLI invocations, or exfiltration destinations.
  4. Treat workspace-level AI/editor configuration as executable: review .amazonq/, .vscode/, .cursor/, .claude/, .gemini/, MCP registry snippets, and assistant settings in pull requests and dependency source archives.
  5. Reduce environment inheritance for IDEs and coding assistants. Launch them without broad cloud admin sessions where possible; prefer scoped profiles, short-lived credentials, and explicit per-project authentication.
  6. Monitor child processes of IDEs and language servers (Code, code, node, aws-lsp-codewhisperer, Amazon Q extensions) for shells, package managers, cloud CLIs, credential discovery, and network exfiltration.
  7. If exploitation is suspected, preserve the malicious workspace, extension versions, process telemetry, shell history, IDE logs, cloud audit logs, and repository audit events; rotate credentials available to the IDE session after containment.

Sources

  • Wiz Research: https://www.wiz.io/blog/amazon-q-vulnerability
  • AWS security bulletin 2026-047-AWS: https://aws.amazon.com/security/security-bulletins/2026-047-aws/
  • GitHub Security Advisory GHSA-xhcr-j4j9-3gh7: https://github.com/aws/language-servers/security/advisories/GHSA-xhcr-j4j9-3gh7
  • The Hacker News: https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html