What happened
Wiz Research disclosed CVE-2026-12957 (CVSS 8.5) in Amazon Q Developer: the Language Servers for AWS runtime — which powers Amazon Q across VS Code, JetBrains, Eclipse, and Visual Studio — automatically read and executed MCP server configurations from .amazonq/mcp.json files present in any opened workspace, without user consent or workspace-trust gating. A single malicious config file placed in a repository caused Amazon Q to auto-launch attacker-controlled MCP server processes that inherited the developer's full environment, exposing AWS credentials, cloud CLI tokens, API secrets, and SSH agent sockets. A related flaw, CVE-2026-12958, compounded the exposure. Wiz reported April 20, 2026; Amazon patched May 12 in Language Servers for AWS v1.65.0 (v1.69.0 recommended).
Why it matters
Opening a cloned repository — a routine developer action — was sufficient to hand an attacker the developer's live AWS session. Because Amazon Q is tightly integrated with AWS credentials at the IDE level, the attack path from git clone to full cloud account compromise was a single step. The Hacker News called it a systemic MCP architecture trust-boundary failure confirmed across multiple AI coding assistants, not an isolated Amazon bug.
Attack vector
Attacker places a malicious .amazonq/mcp.json in a repository; developer opens and trusts the workspace; Amazon Q auto-launches attacker-defined MCP servers that inherit the developer's full credential environment
Affected systems
Amazon Q Developer / Language Servers for AWS < v1.65.0; affects VS Code, JetBrains, Eclipse, Visual Studio extensions
Mitigation
Update Language Servers for AWS to v1.69.0 or later; enforce workspace trust before opening unfamiliar repositories. Wiz Research advisory: https://www.wiz.io/blog/amazon-q-developer-mcp-vulnerability; The Hacker News coverage: https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html