Amazon Q Developer — Malicious Repo MCP Config Steals Cloud Credentials (CVE-2026-12957)

AI relevance: Amazon Q Developer is an AI coding agent that reads project-level MCP config and spawns local processes — turning a cloned repo into an execution surface that inherits the developer's live cloud credentials.

What happened

• Wiz Research disclosed CVE-2026-12957 (CVSS 8.5) in Amazon Q Developer, reported April 20 and patched May 12, 2026.
• The flaw sat in how Amazon Q handled Model Context Protocol (MCP) server configuration files — specifically .amazonq/mcp.json dropped into a repository.
• When a developer opened the repo and trusted the workspace, Amazon Q automatically launched the MCP servers defined in that config — executing arbitrary commands on the developer's machine.
• Those spawned processes inherited the developer's full environment: AWS keys, cloud CLI tokens, API secrets, and SSH agent sockets — with no separate consent step for MCP server execution.
• Wiz's proof of concept ran aws sts get-caller-identity and exfiltrated the output to an attacker-controlled server, capturing the active AWS session.
• The bug lived in Language Servers for AWS, the runtime powering Amazon Q across VS Code, JetBrains, Eclipse, and Visual Studio — all four IDE plugins were affected.
• AWS's advisory notes the user must "trust the workspace" when prompted, but Wiz found no additional consent gate for MCP server spawning before the fix.
• The patch (Language Servers for AWS 1.65.0+, recommended 1.69.0) now flags untrusted MCP servers and lets developers reject commands before execution.
• A second issue, CVE-2026-12958 (missing symlink check allowing arbitrary file writes outside the workspace), was also closed in the same release.

Why it matters

This is the third major AI coding assistant to trip over MCP trust boundaries in 2026. Claude Code (CVE-2025-59536), Cursor (CVE-2025-54136), and Windsurf (CVE-2026-30615) all shipped project-level MCP config that led to command execution. The pattern is identical: repo-carried config is untrusted input, but AI agents treat it as executable behavior. The convenience of letting a project folder configure an AI assistant is also the attack surface. No known public exploitation yet, but the attack requires only a git clone and a workspace-trust click.

What to do

• Update Language Servers for AWS to 1.69.0 or later (auto-updates unless network-blocked; reload IDE to pull latest).
• Minimum patched plugin versions: VS Code 2.20+, JetBrains 4.3+, Eclipse 2.7.4+, Visual Studio toolkit 1.94.0.0+.
• Audit any repos cloned in the past 60 days for .amazonq/mcp.json files — delete suspicious configs before opening the workspace.
• Rotate AWS credentials and any cloud tokens present on developer machines that opened untrusted repos during the exposure window (pre-May 12).
• Enforce workspace-trust policies that require explicit per-session approval for MCP server spawning, not just initial repo trust.

Sources

• The Hacker News — Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs
• Wiz Research — Amazon Q Vulnerability
• GitHub Advisory GHSA-xhcr-j4j9-3gh7
• AWS Security Bulletin 2026-047