Amazon Q Vulnerability Let Attackers Execute Code and Access Sensitive Cloud Environments

HomeCyber Security Amazon Q Vulnerability Let Attackers Execute Code and Access Sensitive Cloud Environments By Guru Baran June 26, 2026 A high-severity vulnerability in the Amazon Q Developer Extension for Visual Studio Code (VS Code), Amazon’s AI-powered coding assistant. Tracked as CVE-2026-12957 and CVE-2026-12958 and disclosed by Wiz Research, the flaws allowed attackers to achieve arbitrary code execution and cloud credential theft simply by having a developer open a malicious repository. The root cause was Amazon Q’s automatic loading of MCP (Model Context Protocol) server configurations from .amazonq/mcp.json workspace files without user consent or workspace trust verification. Combined with full environment inheritance by spawned processes, this created a dangerous attack chain. Amazon Q Vulnerability When a developer opened a compromised repository with Amazon Q active, the extension silently executed commands defined in the malicious config. Since spawned processes inherited the developer’s full environment, attackers gained immediate access to: AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN) Cloud CLI authentication tokens API keys and secrets SSH agent sockets A minimal proof-of-concept showed that a single malicious .amazonq/mcp.json file could exfiltrate active AWS session credentials to an attacker-controlled server — no clicks, no prompts, no warning. Two CVEs were assigned as part of this disclosure: CVE-2026-12957 — Improper trust boundary enforcement; MCP configs auto-executed without consent CVE-2026-12958 — Missing symlink validation allowing path traversal outside workspace boundaries The following product versions are affected: Product Affected Version Language Servers for AWS < 1.69.0 Amazon Q Developer for VS Code < 2.20 Amazon Q Developer for JetBrains < 4.3 Amazon Q Developer for Eclipse < 2.7.4 AWS Toolkit with Amazon Q for Visual Studio < 1.94.0.0 Attack Scenarios Beyond opportunistic exploitation, researchers highlighted several targeted attack vectors: Malicious pull requests to popular open-source repositories Typosquatted packages embedding hidden .amazonq/ configurations Fake job interview coding tests — a known tactic used by DPRK-linked threat actors — where candidates are asked to clone and run attacker-controlled repositories Amazon has patched both vulnerabilities in Language Servers for AWS version 1.69.0. The language server updates automatically for most users; reloading the IDE triggers the update. No action is required for users already on patched versions. Developers should take these precautions regardless: Update all Amazon Q Developer plugins to their latest versions immediately Treat unfamiliar or unverified repositories as untrusted Inspect .amazonq/ directories in cloned repositories for unexpected MCP configurations Carefully review Amazon Q’s new “Untrusted MCP Server” consent prompts before approving execution This vulnerability reflects a broader pattern across AI coding tools. Check Point Research independently identified CVE-2025-59536 and CVE-2026-21852 in Claude Code, and OX Security discovered CVE-2026-30615 in Windsurf — all rooted in the same auto-execution risk. MCP auto-execution without consent is now recognized as a systemic industry risk requiring coordinated attention. The vulnerability was discovered by Maor Dokhanian of Wiz Research and disclosed responsibly to Amazon on April 20, 2026. Amazon deployed the initial fix on May 12, 2026, with full public disclosure on June 26, 2026, under Security Bulletin 2026-047-AWS. What Features Should AI SOC Have? – Download Free 2026 AI SOC Features Checklist Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News AiTM Phishing Kits Steal Console Credentials and MFA Codes from AWS Environments Hackers Use GoogleErrorReport Scheduled Task for Persistence in Dropping Elephant Campaign 25-Year-Old Vulnerability in cURL Used by 30 Billion Devices Finally Patched AI-Powered iOS Apps Leaking LLM API Credentials Through Network Traffic Tata Electronics Data Breach Exposes Confidential Apple and Tesla Documents Latest News Cyber Security New Linux pedit COW Exploit Allows Attackers to Gain System Root Access Cyber Security New Bluekit Phishing-as-a-Service Bypasses MFA to Steal Microsoft Login Credentials Cyber Security News Hackers Exploit Weak Credentials and Internet-Facing PLCs to Breach Water Utilities Cyber Security News New GIFTEDCROOK Chain Abuses WinRAR ADS and Reflective Loading to Steal Browser Data Cyber Security News Hackers Leveraged Shopify Oder-Tracking App Shop to Push Fake Invoices