AWS has patched a high-severity flaw in Amazon Q Developer that allowed a malicious repository to automatically execute commands carrying a developer’s full cloud credential set, including AWS keys, CLI tokens, API secrets, and SSH agent sockets.

CVE-2026-12957 (rated High, CVSS 8.5) affects Language Servers for AWS across all supported IDEs: VS Code, JetBrains, Eclipse, and Visual Studio. The vulnerability stems from how Amazon Q handled Model Context Protocol (MCP) server configuration files. A .amazonq/mcp.json file placed in a repository root was automatically read and any MCP servers referenced within it were launched without presenting a workspace trust prompt to the developer. Because spawned MCP server processes inherited the developer’s full runtime environment, a single malicious repository clone could silently expose every cloud credential stored on that machine. A companion flaw, CVE-2026-12958, allowed a crafted symlink to reach files outside the workspace trust boundary. AWS has patched both in Language Servers for AWS version 1.69.0.

Why it matters: This is a developer-tooling supply chain risk with a wide blast radius. Amazon Q is an AI coding assistant integrated into the primary IDEs used by AWS-focused engineering teams. Exploitation required only that a victim open a crafted workspace, a routine action during code review, onboarding, and open-source contribution workflows. The broader pattern is significant: MCP configurations introduce a new auto-execution surface that existing workspace trust models have not fully anticipated, and similar risks are likely present across other AI coding assistant integrations. This publication previously covered the Miasma supply chain worm targeting GitHub Actions CI/CD pipelines, a related category of developer environment credential harvesting. The combination of AI coding tools and MCP server auto-execution represents an expanding attack surface that security teams governing developer workstations have not yet standardized controls for.

What defenders should do: Update Language Servers for AWS to version 1.69.0 or later, and update corresponding IDE plugin versions (VS Code 2.20, JetBrains 4.3, Eclipse 2.7.4, Visual Studio 1.94.0.0) through official marketplaces. AWS confirms no workarounds are available; patching is the only remediation for CVE-2026-12957. Security teams should treat AI coding assistant plugins as a new category of privileged tooling requiring the same update urgency as endpoint agents. Review organizational policies around MCP server configuration handling, audit which repositories developer workstations routinely clone, and consider whether workspace isolation controls are appropriate for environments where developers handle sensitive cloud credentials.

Source: AWS Security Bulletin 2026-047-AWS