Amazon Q Developer Flaw Let Malicious Repos Execute Code and Steal Cloud Credentials
Amazon patched a high-severity flaw in Amazon Q Developer and the underlying Language Servers for AWS that allowed a booby-trapped repository to execute attacker-controlled commands when a developer opened and trusted a workspace. Tracked as CVE-2026-12957 and rated CVSS 8.5, the issue involved unsafe handling of Model Context Protocol (MCP) configuration files such as .amazonq/mcp.json, which could cause Amazon Q integrations for VS Code, JetBrains, Eclipse, and Visual Studio to launch local processes defined by an attacker. Those processes inherited the developer’s environment, exposing AWS credentials, API keys, authentication tokens, and SSH agent access already present on the machine.
Wiz Research reported the vulnerability to AWS on April 20, and AWS fixed it on May 12, later publishing an advisory and releasing remediation in Language Servers for AWS 1.65.0. AWS also addressed a related flaw, CVE-2026-12958, involving missing symlink validation that could enable arbitrary file writes outside the workspace trust boundary; customers were advised to upgrade to version 1.69.0 to cover both issues. Researchers said likely attack paths include fake coding tests, typosquatted open-source packages, and malicious pull requests, while noting the weakness reflects broader trust-boundary problems emerging across AI coding assistants that adopt MCP-style workspace configuration.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Wiz publicly discloses Amazon Q repository attack flaw
Wiz published its write-up describing how a malicious repository containing a .amazonq/mcp.json file could trigger local process execution in Amazon Q Developer and expose AWS credentials, API keys, tokens, and SSH agent access. Reports said no known public exploitation had been observed.
CVE-2026-12958 is publicly published
The arbitrary file write vulnerability CVE-2026-12958 was published publicly, with remediation guidance to upgrade Language Servers for AWS to version 1.69.0 or later.
AWS publishes advisory for CVE-2026-12957 and CVE-2026-12958
AWS published a security bulletin covering CVE-2026-12957 and the related symlink-handling flaw CVE-2026-12958 affecting Language Servers for AWS and Amazon Q Developer plugins.
AWS fixes CVE-2026-12957 in Language Servers for AWS 1.65.0
Amazon remediated CVE-2026-12957 on May 12, with the fix delivered in Language Servers for AWS version 1.65.0 and propagated to Amazon Q Developer integrations across supported IDEs.
Wiz reports Amazon Q command-execution flaw to AWS
Wiz Research notified AWS about CVE-2026-12957, a high-severity flaw in Amazon Q Developer and Language Servers for AWS that could let a malicious repository execute attacker-controlled commands and expose developer credentials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Amazon Q VS Extension Flaw Leads to Cloud Credential Theft
darkreading.com
Open sourceAmazon Q Developer extension vulnerability could have exposed cloud credentials | brief | SC Media
scworld.com
Open sourceAmazon Q Vulnerability Let Attackers Execute Code and Access Sensitive Cloud Environments
cybersecuritynews.com
Open sourceAmazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories - SecurityWeek
securityweek.com
Open sourceCVE-2026-12958 - Arbitrary file write in Language Servers for AWS
cvefeed.io
Open sourceCVE-2026-12957 - Arbitrary Code Execution in Language Servers for AWS
cvefeed.io
Open sourceCVE-2026-12957 and CVE-2026-12958 - Issues in Language Servers for AWS and Amazon Q Developer Plugins
aws.amazon.com
Open sourceArbitrary Code Execution in Language Servers for AWS · Advisory · aws/language-servers · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AWS MCP Server Flaws Expose File Read and Remote Code Execution Risks
Researchers disclosed multiple security flaws affecting AWS MCP components, including a local file inclusion bug in the AWS Remote MCP Server and a critical command injection issue in `aws-mcp-server`. Varonis said authenticated users could abuse AWS CLI shorthand syntax, specifically the `@=` operator passed through the `aws___call_aws` tool, to read arbitrary files from the underlying host even when `FileAccessMode=NO_ACCESS` was enabled. AWS assigned **CVE-2026-4270** to the file access restriction bypass and said the issue was fixed in `aws-api-mcp-server` version **1.3.9**; the exposure affected the public endpoint `aws-mcp.us-east-1.api.aws` as well as self-hosted or forked deployments. A separate flaw, tracked as **CVE-2026-5058** and published by Trend Micro's Zero Day Initiative as **ZDI-26-246**, allows unauthenticated remote code execution in `aws-mcp-server` because user-supplied input in the allowed-commands list is not properly validated before being used in a system call. ZDI rated the bug **CVSS 9.8** and said successful exploitation lets attackers run arbitrary code in the MCP server context; the advisory was released as a 0-day after the vendor rejected the report. The disclosures landed alongside another AWS bulletin for **CVE-2026-4269**, an improper S3 ownership verification issue in the Bedrock AgentCore Starter Toolkit, underscoring broader security concerns around MCP-related tooling and the need for immediate patching and review of derivative implementations.
Jun 29, 2026
AWS discloses multiple flaws across SageMaker, Redshift, RabbitMQ, Braket, and WorkSpaces
AWS published a series of security bulletins covering vulnerabilities across several products and SDKs, including **model artifact integrity verification issues** in the Amazon SageMaker Python SDK (`CVE-2026-8596`, `CVE-2026-8597`), a **heap out-of-bounds read** in `coreMQTT` MQTT5 property parsing (`CVE-2026-8686`), and a **remote code execution** flaw in the `amazon-redshift-python-driver` (`CVE-2026-8838`). The company also disclosed an **arbitrary file read** issue in the `rabbitmq-aws` plugin (`CVE-2026-9133`), **tool execution without authorization via piped stdin** in Kiro CLI (`CVE-2026-9255`), and **insecure deserialization** in Amazon Braket SDK job results processing (`CVE-2026-9291`). A separate advisory addressed **improper authentication token handling** in the Amazon WorkSpaces client for Linux. Taken together, the disclosures span cloud development tools, messaging components, data platforms, quantum-computing SDKs, and end-user clients, indicating a broad patching requirement for organizations using AWS software. Security teams should identify affected packages and clients in their environments and prioritize remediation for flaws that could enable **remote code execution, unauthorized actions, file disclosure, or unsafe processing of untrusted data**.
Jun 30, 2026
AWS Research and Engineering Studio Flaws Enable Root Command Execution and AWS Privilege Escalation
AWS disclosed two high-severity vulnerabilities in **Research and Engineering Studio (RES)** that affect releases from `2025.03` through versions prior to `2026.03`. The first, **`CVE-2026-5707`**, is a `CWE-78` command injection flaw in virtual desktop session name handling that could let a remote authenticated attacker execute arbitrary commands as **root** on a virtual desktop host by supplying a crafted session name. The issue carries a CVSS v3.1 rating of `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, reflecting high impact across confidentiality, integrity, and availability. AWS also disclosed **`CVE-2026-5708`**, a `CWE-915` privilege-escalation flaw in the RES `CreateSession` API caused by improper control of user-modifiable attributes. An authenticated attacker could use a crafted API request to escalate privileges, assume the virtual desktop host instance profile permissions, and access AWS resources and services. AWS directed customers to upgrade to **RES `2026.03`** or apply the vendor mitigation patch, with details published through an AWS security bulletin, a GitHub issue, and the RES `2026.03` release notes.
Jun 29, 2026