Critical Amazon Q Developer Flaws Exposed Cloud Credentials to Remote Attacks
Security researchers uncovered two high-severity vulnerabilities in the Amazon Q Developer Extension for Visual Studio Code (VS Code), allowing attackers to execute arbitrary code and steal cloud credentials without user interaction. The flaws, tracked as CVE-2026-12957 and CVE-2026-12958, were patched in Language Servers for AWS version 1.69.0 and corresponding IDE plugins.
The vulnerabilities stemmed from Amazon Q’s automatic loading of MCP (Model Context Protocol) server configurations from .amazonq/mcp.json files in workspace directories without user consent, trust verification, or warnings. MCP servers, designed to extend AI assistants’ capabilities, could interact with databases, APIs, and system resources. However, the extension’s auto-execution of untrusted configurations violated security boundaries, enabling attackers to inherit the victim’s environment, including AWS credentials, CLI tokens, API keys, and SSH agent sockets.
Exploitation required only a malicious .amazonq/mcp.json file embedded in a repository. When a developer opened the folder in VS Code with Amazon Q active, the extension silently executed the payload. In a proof-of-concept by Wiz, the attack exfiltrated AWS session data to an attacker-controlled server using a single bash command (aws sts get-caller-identity). Further risks included IAM backdooring, cloud persistence, and lateral movement via inherited VPN contexts.
Delivery vectors mirrored known threat tactics, such as typosquatted packages, malicious pull requests, compromised dependencies, and fake coding tests a method previously linked to DPRK threat actors.
Affected Versions & Timeline
- CVE-2026-12957: Improper trust boundary enforcement; auto-executes commands from untrusted config files.
- CVE-2026-12958: Missing symlink validation; allows malicious symlinks to bypass workspace trust.
Vulnerable Products & Versions:
- Language Servers for AWS (< 1.69.0)
- Amazon Q Developer for VS Code (< 2.20)
- Amazon Q Developer for JetBrains (< 4.3)
- Amazon Q Developer for Eclipse (< 2.7.4)
- AWS Toolkit with Amazon Q for Visual Studio (< 1.94.0.0)
Discovery & Disclosure:
- April 17, 2026: Wiz researcher Maor Dokhanian identified the flaw.
- April 20, 2026: Reported to Amazon Security; acknowledged same day.
- May 12, 2026: Initial fix deployed via language server update.
- June 23, 2026: CVEs assigned.
- June 26, 2026: Public disclosure.
Amazon fully remediated the issues, with updates automatically applied in most configurations. The disclosure coincided with similar MCP auto-execution flaws in Claude Code, Cursor, and Windsurf, highlighting broader industry risks in AI-assisted development environments.
Source: https://cyberpress.org/amazon-q-vs-code-flaw-lets-malicious-repositories-steal-cloud-credentials/
Amazon TPRM report: https://www.rankiteo.com/company/amazon-web-services
"id": "ama1782541446",
"linkid": "amazon-web-services",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Developers using vulnerable '
'Amazon Q Developer extensions',
'industry': 'Technology/Cloud Computing',
'location': 'Global',
'name': 'Amazon Web Services (AWS)',
'size': 'Large Enterprise',
'type': 'Cloud Service Provider'}],
'attack_vector': ['Malicious repository files',
'Typosquatted packages',
'Malicious pull requests',
'Compromised dependencies',
'Fake coding tests'],
'customer_advisories': 'Developers were advised to update their IDE '
'extensions and review cloud access logs for '
'suspicious activity.',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': 'Potential (AWS '
'credentials may '
'include PII)',
'sensitivity_of_data': 'High (cloud credentials, PII, and '
'system access tokens)',
'type_of_data_compromised': ['AWS session data',
'Cloud credentials',
'API keys',
'SSH agent sockets']},
'date_detected': '2026-04-17',
'date_publicly_disclosed': '2026-06-26',
'date_resolved': '2026-05-12',
'description': 'Security researchers uncovered two high-severity '
'vulnerabilities in the Amazon Q Developer Extension for '
'Visual Studio Code (VS Code), allowing attackers to execute '
'arbitrary code and steal cloud credentials without user '
'interaction. The flaws, tracked as CVE-2026-12957 and '
'CVE-2026-12958, were patched in Language Servers for AWS '
'version 1.69.0 and corresponding IDE plugins. The '
'vulnerabilities stemmed from Amazon Q’s automatic loading of '
'MCP server configurations from untrusted files without user '
'consent or verification, enabling attackers to inherit the '
'victim’s environment, including AWS credentials, CLI tokens, '
'API keys, and SSH agent sockets.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'credential theft and remote code '
'execution risks',
'data_compromised': ['AWS credentials',
'CLI tokens',
'API keys',
'SSH agent sockets'],
'identity_theft_risk': 'High (AWS credentials and PII exposure)',
'operational_impact': ['Inherited VPN contexts', 'IAM backdooring'],
'systems_affected': ['Amazon Q Developer Extension for VS Code',
'Amazon Q Developer for JetBrains',
'Amazon Q Developer for Eclipse',
'AWS Toolkit with Amazon Q for Visual '
'Studio']},
'initial_access_broker': {'backdoors_established': 'Potential (IAM '
'backdooring, cloud '
'persistence)',
'entry_point': 'Malicious `.amazonq/mcp.json` files '
'in repositories',
'high_value_targets': 'Developers with AWS '
'credentials and cloud '
'access'},
'investigation_status': 'Closed (remediated)',
'lessons_learned': 'The incident highlighted risks in AI-assisted development '
'environments, particularly the auto-execution of '
'untrusted configurations. It underscored the need for '
'stricter trust boundaries, user consent mechanisms, and '
'validation of workspace files in IDE extensions.',
'motivation': ['Data exfiltration', 'Cloud persistence', 'Lateral movement'],
'post_incident_analysis': {'corrective_actions': ['Added trust boundary '
'enforcement for MCP '
'configurations.',
'Implemented symlink '
'validation in workspace '
'directories.',
'Automated patch deployment '
'for vulnerable '
'extensions.'],
'root_causes': ['Auto-execution of untrusted MCP '
'server configurations without '
'user consent or verification.',
'Missing symlink validation in '
'workspace files.']},
'recommendations': ['Update to patched versions of Amazon Q Developer '
'extensions (Language Servers for AWS >= 1.69.0, VS Code '
'extension >= 2.20, JetBrains >= 4.3, Eclipse >= 2.7.4, '
'Visual Studio >= 1.94.0.0).',
'Avoid opening untrusted repositories in development '
'environments with AI extensions enabled.',
'Implement least-privilege access for cloud credentials '
'and regularly rotate secrets.',
'Monitor for suspicious activity in cloud environments, '
'such as unexpected IAM role modifications or lateral '
'movement.'],
'references': [{'date_accessed': '2026-06-26', 'source': 'Wiz Research'},
{'date_accessed': '2026-06-26',
'source': 'Amazon Security Advisory'}],
'response': {'communication_strategy': 'Public disclosure on June 26, 2026',
'containment_measures': ['Automatic patch deployment via '
'language server update'],
'incident_response_plan_activated': True,
'remediation_measures': ['Fixed improper trust boundary '
'enforcement (CVE-2026-12957)',
'Added symlink validation '
'(CVE-2026-12958)'],
'third_party_assistance': 'Wiz (security research)'},
'stakeholder_advisories': 'AWS notified affected customers via security '
'bulletins and recommended immediate updates.',
'threat_actor': 'DPRK threat actors (suspected)',
'title': 'Critical Amazon Q Developer Flaws Exposed Cloud Credentials to '
'Remote Attacks',
'type': ['Supply Chain Attack', 'Remote Code Execution', 'Credential Theft'],
'vulnerability_exploited': ['CVE-2026-12957', 'CVE-2026-12958']}