On June 26, 2026, Wiz Research disclosed CVE-2026-12957, a high-severity vulnerability (CVSS 8.5/10) in the Amazon Q Developer extension for VS Code that enabled cloud credential theft through the automatic execution of MCP server configurations from malicious repositories. The discovery reveals a systemic pattern in AI coding assistants: the Model Context Protocol (MCP), designed to extend AI capabilities, becomes an invisible supply-chain attack vector when auto-configuration convenience replaces user consent.
- CVE-2026-12957 scores CVSS 8.5/10: the Amazon Q Developer extension automatically loaded .amazonq/mcp.json files from the workspace without a workspace trust check or user consent.
- MCP processes inherited the developer's full environment, including AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN, enabling silent exfiltration.
- Amazon released the patch in language server version 1.65.0 on May 12, 2026, but recommends version 1.69.0 for more complete protection.
- Structurally similar vulnerabilities have been documented in Claude Code, Cursor, and Windsurf, indicating a systemic issue in the MCP ecosystem.
How the Attack Worked: The Unfiltered MCP Mechanism
The Model Context Protocol (MCP) allows AI assistants to interact with external tools by spawning local processes. In the vulnerable version of Amazon Q Developer, the extension automatically loaded the .amazonq/mcp.json file present in the workspace directory without requiring any user confirmation.
Wiz Research technically verified the behavior: "no prompt, no consent, no workspace trust check." An attacker could distribute a seemingly innocuous repository — an open-source dependency clone, a falsified coding test, a malicious pull request — containing a crafted .amazonq/mcp.json file.
Processes spawned by MCP inherited the developer's complete environment. Wiz explicitly lists three sensitive variables propagated: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN. SecurityWeek confirms that "whatever cloud credentials and API keys were loaded in their environment" were exposed. The result was silent credential theft, without any authorization request or visual indication in the interface.
Wiz researchers built a working proof-of-concept: a minimal malicious repository that, when opened in VS Code with Amazon Q Developer active, executed the command aws sts get-caller-identity and captured the developer's active AWS session.
"The combination of auto-execution, shell spawning, and environment inheritance created a high-severity vulnerability in a widely-used developer tool. A single malicious repository could compromise not just the developer's local machine, but their cloud infrastructure as well"
The Disclosure Timeline: A Two-Month Exposure Window
Wiz Research notified Amazon on April 20, 2026. The vendor released the patch in language server version 1.65.0 on May 12, 2026. Public disclosure occurred on June 26, 2026, roughly six weeks after the fix deployment.
An AWS spokesperson, quoted by SecurityWeek, stated: "We would like to thank Wiz for collaborating with us on this issue. We have remediated this issue in language server version 1.65.0." The same spokesperson added that "The AWS Language Server updates automatically unless the customer's network configuration prevents it, so no action is required in most cases."
However, CryptoBriefing reports that Amazon subsequently recommended upgrading to version 1.69.0 for "more complete protection," introducing an evaluation element for users who may have stopped at 1.65.0. The fix applies to VS Code, JetBrains, Eclipse, Visual Studio, and the language server.
CryptoBriefing also documented a related vulnerability, CVE-2026-12958, concerning symlink validation in MCP configurations. Both have been patched. According to CryptoBriefing, no public exploitation cases have been recorded.
The Systemic Pattern: When Convenience Becomes a Vulnerability
The discovery in Amazon Q Developer is not isolated. Wiz Research published a comparative table documenting structurally similar vulnerabilities in other MCP tools: CVE-2025-59536 and CVE-2026-21852 in Claude Code, CVE-2025-54136 in Cursor, plus issues in Windsurf. CryptoBriefing confirms the same range of affected products.
The pattern is recognizable: the MCP protocol extends AI capabilities by allowing local process execution, but the auto-configuration implementation skipped trust controls already standardized in other contexts. The comparison to browsers is immediate — auto-download of files without consent was progressively restricted after years of abuse — but the AI coding assistant industry is repeating that learning curve in accelerated fashion, with the aggravating factor that execution occurs in the privileged context of the development environment.
Cloud credentials are not ordinary data: they represent direct access to corporate infrastructure. Their silent exfiltration from an IDE, without phishing or traditional endpoint compromise, shifts the attack perimeter to the git repository — a vector that security teams have only begun to systematically catalog in recent years.
What to Do Now
For Amazon Q Developer users, verifying the language server version is the first step. Version 1.65.0 contains the initial fix, but Amazon recommends 1.69.0. It should be noted that auto-update can be blocked by corporate network configurations: the absence of manual action is not guaranteed.
For teams managing shared repositories, reviewing codebases for unauthorized .amazonq/mcp.json files is a concrete verification step, given that such files represent the documented attack vector.
For CISOs, auditing active IDE extensions across development teams falls under a broader assessment: the MCP ecosystem extends beyond Amazon Q, and auto-configuration implementations vary in security. Rotating AWS credentials exposed before May 12, 2026 is a containment measure not explicitly stated by sources, but derivable from the documented exposure mechanism.
For the industry, the recommendation formulated by Wiz Research in the report is explicit: "Any file that can exist in a git repository should be treated as untrusted input. Extensions must validate, sanitize, and — most importantly — obtain consent before acting on workspace configs." The operational translation is the consent prompt Amazon introduced in the fix.
The Problem Is in the Architecture, Not the Single Bug
CVE-2026-12957 is technically closed, but the pattern that generated it remains open across the entire MCP ecosystem. The line between an extension that "simply helps write code" and one that executes local processes inheriting cloud credentials is a thin one that many developers do not perceive.
The AI industry is replicating a security error already overcome in browsers: the convenience of auto-execution preceded risk awareness by years. The adoption velocity of coding assistants does not allow the same time margin. The next cloned repository could contain a .cursor/mcp.json or an analogous file for Claude Code, with the same mechanism and the same lack of consent until subsequent patches.
The measure of a technology sector's maturity is not how rapidly it adds features, but how quickly it recognizes that convenience without control is a structural vulnerability, not a bug to be cataloged and forgotten.
Sources
- https://www.securityweek.com/amazon-q-flaw-enabled-cloud-credential-theft-via-malicious-repositories/
- https://unit42.paloaltonetworks.com/large-scale-credential-attacks/
- https://unit42.paloaltonetworks.com/cloud-bucket-hijacking-risks/
- https://unit42.paloaltonetworks.com/cyber-extortion-economy/
- https://cryptobriefing.com/amazon-q-developer-credential-theft-flaw/
- https://www.wiz.io/blog/amazon-q-vulnerability
Information has been verified against cited sources and updated at time of publication.