Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

A Critical Flaw in Amazon Q Developer Exposed: A Vulnerability That Could Have Leaked Cloud Credentials


A high-severity bug in Amazon Q Developer could have allowed malicious repositories to run code via MCP configurations, compromising developer cloud credentials. The vulnerability has been patched, but it highlights the importance of regular security updates and careful configuration management in developer tools.

  • A critical flaw was discovered in Amazon Q Developer, a popular coding assistant, that could have allowed malicious repositories to run code via Model Context Protocol (MCP) configurations.
  • The vulnerability (CVE-2026-12957) allowed a single config file to launch malicious servers on a developer's machine without explicit consent or notification.
  • The attack worked by reading an MCP configuration file and launching the defined servers, inheriting the developer's full environment.
  • A patched version of Amazon Q Developer (Language Servers for AWS 1.65.0) has been released, but users are advised to use version 1.69.0 instead.


    • Amazon Q Developer, a popular coding assistant used by millions of developers worldwide, has been found to contain a critical flaw that could have allowed malicious repositories to run code via Model Context Protocol (MCP) configurations. The vulnerability, tracked as CVE-2026-12957, was discovered by Wiz Research and reported to Amazon in April 2026.

    The bug sat in how Amazon's AI coding assistant handled MCP servers, allowing a single config file dropped in a repository to be enough to go from git clone to cloud compromise. This means that if a developer opens a repository, trusts the workspace, and Amazon Q does the rest, it could potentially launch malicious servers on their machine without any explicit consent or notification.

    The attack worked by reading an MCP configuration file, .amazonq/mcp.json, from the open workspace and launching the servers it defined. These processes inherited the developer's full environment, including AWS keys, cloud CLI tokens, API secrets, and SSH agent sockets. With this information, a file sitting in a cloned repository could run arbitrary code with the developer's live cloud session attached, without requiring any password or second sign-in.

    In its proof of concept, Wiz had the file run aws sts get-caller-identity and ship the output to an attacker server, capturing the active AWS session. This means that if a malicious actor were able to exploit this vulnerability, they could potentially gain access to sensitive data and perform actions on behalf of the affected developer.

    Amazon has since patched the issue in Language Servers for AWS 1.65.0, but it is recommended to use version 1.69.0 instead. The patched plugin minimums are VS Code: 2.20 or later, JetBrains: 4.3 or later, Eclipse: 2.7.4 or later, and Visual Studio toolkit: 1.94.0.0 or later.

    This vulnerability highlights the importance of regular security updates and careful configuration management in developer tools. It also serves as a reminder that even seemingly innocuous features can be exploited by malicious actors if not implemented correctly.

    Interestingly, this is not the first time Amazon Q has faced issues with MCP trust. Two previous bugs, CVE-2025-59536 and CVE-2025-54136, were discovered earlier in 2025, which also involved project-level MCP config that led to command execution. Another bug, Windsurf (CVE-2026-30615), reached the same end by a different path, with attacker-controlled content rewriting the local MCP config to register a malicious server.

    The convenience of letting a project folder configure an AI agent is also the attack surface. Repo-carried config is untrusted input, and turning it into a running process should take an explicit yes. However, in this case, Amazon Q's handling of MCP servers allowed the bug to remain unchecked until Wiz Research discovered and reported it.

    The discovery of this vulnerability demonstrates the importance of collaboration between developers, security researchers, and vendors to identify and address potential security issues. It also highlights the need for ongoing vigilance and regular security audits to ensure that even seemingly minor flaws are caught before they can be exploited.

    In conclusion, the critical flaw in Amazon Q Developer exposed by Wiz Research has significant implications for cloud security and developer safety. While Amazon has patched the issue, it is essential for developers to stay informed about potential vulnerabilities and take steps to protect themselves against malicious attacks.

    Related Information:
  • https://www.ethicalhackingnews.com/articles/A-Critical-Flaw-in-Amazon-Q-Developer-Exposed-A-Vulnerability-That-Could-Have-Leaked-Cloud-Credentials-ehn.shtml

  • https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html

  • https://nvd.nist.gov/vuln/detail/CVE-2025-59536

  • https://www.cvedetails.com/cve/CVE-2025-59536/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-54136

  • https://www.cvedetails.com/cve/CVE-2025-54136/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-12957

  • https://www.cvedetails.com/cve/CVE-2026-12957/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-30615

  • https://www.cvedetails.com/cve/CVE-2026-30615/


    • Published: Fri Jun 26 11:07:19 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us