A high-severity vulnerability has been discovered in Amazon's AI-powered coding assistant, Amazon Q Developer, allowing attackers to steal cloud credentials by tricking developers into opening malicious code repositories. The flaw, tracked as CVE-2026-12957, was patched in Language Servers for AWS version 1.69.0 and corresponding IDE plugins.
The vulnerability stems from Amazon Q's automatic loading of MCP (Model Context Protocol) server configurations from .amazonq/mcp.json files in workspace directories without user consent or trust verification. This created a dangerous attack chain, enabling attackers to inherit the victim's environment, including AWS credentials, CLI tokens, API keys, and SSH agent sockets.
Researchers at Wiz discovered that exploitation required only a malicious .amazonq/mcp.json file embedded in a repository. When a developer opened the folder in VS Code with Amazon Q active, the extension silently executed the payload, exfiltrating AWS session data to an attacker-controlled server using a single bash command.
What Happened
The vulnerability was discovered by Wiz researcher Maor Dokhanian on April 17, 2026. He reported it to Amazon Security on April 20, and the company acknowledged the issue the same day. An initial patch was released on May 12 in Language Servers for AWS version 1.65.0.
The public disclosure of the vulnerability occurred on June 26, giving organizations roughly six weeks to update before the details went public. Amazon has recommended that users upgrade to version 1.69.0 for more comprehensive protection, which also addresses a related vulnerability, CVE-2026-12958, involving symlink validation issues in MCP configurations.
No instances of public exploitation have been recorded so far, but researchers highlighted several targeted attack vectors, including malicious pull requests to popular open-source repositories, typosquatted packages embedding hidden .amazonq/ configurations, and fake job interview coding tests.
Background and Context
Amazon Q Developer is an AI-powered coding assistant that offers developers features such as code suggestions, automated refactoring, and access to external tools and services via integrations with local processes. The extension uses MCP server configurations to connect with databases, APIs, and system resources.
The vulnerability was not unique to Amazon Q; other researchers have reported similar flaws in AI-assisted development environments, including Claude Code, Cursor, and Windsurf. These tools use MCP to interact with external tools and data sources, creating a potential attack vector for cloud credential theft.
Why it Matters to the Industry
The vulnerability highlights the importance of secure coding practices in AI-assisted development environments. Developers must be aware of the potential risks associated with automatic loading of configuration files and take steps to protect their cloud credentials.
The attack vector is particularly concerning for developers working with AWS, as it allows attackers to inherit sensitive environment variables, including access keys, session tokens, and region configurations. This can lead to silent data exfiltration without any visible warning or permission dialog.
What Comes Next
Amazon has patched the vulnerability in Language Servers for AWS version 1.69.0 and corresponding IDE plugins. Developers should update their Amazon Q Developer plugins to the latest versions immediately and treat unfamiliar or unverified repositories with caution.
The disclosure of this vulnerability serves as a reminder of the importance of secure coding practices and regular updates to prevent similar attacks in the future. As AI-assisted development environments continue to evolve, developers must remain vigilant and take steps to protect their cloud credentials from potential threats.
Key Facts
- The vulnerability was discovered by Wiz researcher Maor Dokhanian on April 17, 2026.
- The flaw allowed attackers to steal cloud credentials by tricking developers into opening malicious code repositories.
- The vulnerability was patched in Language Servers for AWS version 1.69.0 and corresponding IDE plugins.
- Exploitation required only a malicious .amazonq/mcp.json file embedded in a repository.
- No instances of public exploitation have been recorded so far.