Critical Amazon Q Developer Vulnerabilities Exposed: Arbitrary Code Execution and Credential Theft Risks
Security researchers at Wiz Research disclosed two high-severity vulnerabilities in Amazon Q Developer, the AI-powered coding assistant for Visual Studio Code (VS Code), JetBrains, Eclipse, and Visual Studio. Tracked as CVE-2026-12957 and CVE-2026-12958, the flaws enabled arbitrary code execution and cloud credential theft when developers opened malicious repositories without user interaction or warnings.
Root Cause & Exploitation
The vulnerabilities stemmed from Amazon Q’s automatic execution of MCP (Model Context Protocol) server configurations from .amazonq/mcp.json files in untrusted workspaces. Since spawned processes inherited the developer’s full environment, attackers could access:
- AWS credentials (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_SESSION_TOKEN) - Cloud CLI authentication tokens
- API keys and secrets
- SSH agent sockets
A proof-of-concept demonstrated that a single malicious .amazonq/mcp.json file could exfiltrate AWS session credentials to an attacker-controlled server no clicks, prompts, or warnings required.
Assigned CVEs & Affected Versions
- CVE-2026-12957: Improper trust boundary enforcement MCP configs executed without consent.
- CVE-2026-12958: Missing symlink validation, enabling path traversal outside workspace boundaries.
Affected products and versions:
- Language Servers for AWS < 1.69.0
- Amazon Q Developer for VS Code < 2.20
- Amazon Q Developer for JetBrains < 4.3
- Amazon Q Developer for Eclipse < 2.7.4
- AWS Toolkit with Amazon Q for Visual Studio < 1.94.0.0
Attack Vectors
Researchers highlighted targeted exploitation methods, including:
- Malicious pull requests in popular open-source repositories
- Typosquatted packages embedding hidden
.amazonq/configurations - Fake job interview coding tests (a tactic previously used by DPRK-linked threat actors)
Patch & Disclosure Timeline
- April 20, 2026: Vulnerability discovered by Maor Dokhanian (Wiz Research) and responsibly disclosed to Amazon.
- May 12, 2026: Amazon deployed an initial fix in Language Servers for AWS 1.69.0.
- June 26, 2026: Full public disclosure via Security Bulletin 2026-047-AWS.
The patch is automatically applied for most users upon IDE reload. No further action is required for those on updated versions.
Broader Industry Risk
This vulnerability reflects a systemic issue in AI-powered coding tools. Similar flaws have been identified in:
- Claude Code (CVE-2025-59536, CVE-2026-21852 – Check Point Research)
- Windsurf (CVE-2026-30615 – OX Security)
All stem from auto-execution risks in untrusted configurations, underscoring the need for coordinated industry mitigation.
Source: https://cybersecuritynews.com/amazon-q-vulnerability/
Amazon TPRM report: https://www.rankiteo.com/company/amazon
"id": "ama1782498585",
"linkid": "amazon",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/Software Development',
'name': 'Amazon Q Developer',
'type': 'AI-powered coding assistant'}],
'attack_vector': ['Malicious repositories',
'Malicious pull requests',
'Typosquatted packages',
'Fake job interview coding tests'],
'data_breach': {'data_exfiltration': 'Yes (proof-of-concept demonstrated '
'exfiltration to attacker-controlled '
'server)',
'personally_identifiable_information': 'Potential risk',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['AWS credentials',
'Cloud CLI authentication tokens',
'API keys',
'SSH agent sockets']},
'date_detected': '2026-04-20',
'date_publicly_disclosed': '2026-06-26',
'date_resolved': '2026-05-12',
'description': 'Security researchers at Wiz Research disclosed two '
'high-severity vulnerabilities in Amazon Q Developer, the '
'AI-powered coding assistant for Visual Studio Code (VS Code), '
'JetBrains, Eclipse, and Visual Studio. The flaws '
'(CVE-2026-12957 and CVE-2026-12958) enabled arbitrary code '
'execution and cloud credential theft when developers opened '
'malicious repositories without user interaction or warnings.',
'impact': {'data_compromised': ['AWS credentials (AWS_ACCESS_KEY_ID, '
'AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN)',
'Cloud CLI authentication tokens',
'API keys and secrets',
'SSH agent sockets'],
'identity_theft_risk': ['Personally Identifiable Information (PII) '
'exposure risk'],
'systems_affected': ['Visual Studio Code',
'JetBrains',
'Eclipse',
'Visual Studio']},
'initial_access_broker': {'entry_point': 'Malicious .amazonq/mcp.json files '
'in untrusted workspaces'},
'investigation_status': 'Resolved',
'lessons_learned': 'Systemic issue in AI-powered coding tools due to '
'auto-execution risks in untrusted configurations. '
'Highlights the need for coordinated industry mitigation.',
'post_incident_analysis': {'corrective_actions': ['Automatic execution of MCP '
'configs disabled for '
'untrusted workspaces',
'Symlink validation '
'implemented'],
'root_causes': ['Improper trust boundary '
'enforcement in MCP configurations',
'Missing symlink validation '
'enabling path traversal']},
'recommendations': 'Update to patched versions of Amazon Q Developer and '
'related IDE plugins. Exercise caution when opening '
'untrusted repositories or pull requests.',
'references': [{'source': 'Wiz Research'},
{'source': 'Amazon Security Bulletin 2026-047-AWS'}],
'response': {'communication_strategy': 'Security Bulletin 2026-047-AWS',
'containment_measures': 'Automatic patch deployment in updated '
'versions',
'remediation_measures': 'Fixed in Language Servers for AWS '
'1.69.0 and subsequent IDE versions',
'third_party_assistance': 'Wiz Research'},
'stakeholder_advisories': 'Security Bulletin 2026-047-AWS',
'title': 'Critical Amazon Q Developer Vulnerabilities Exposed: Arbitrary Code '
'Execution and Credential Theft Risks',
'type': ['Arbitrary Code Execution', 'Credential Theft'],
'vulnerability_exploited': ['CVE-2026-12957', 'CVE-2026-12958']}