Unrated

Arbitrary Code Execution in Language Servers for AWS Workspace MCP Configuration Handling

IdentifiersCVE-2026-12957CWE-501

CVE-2026-12957 is a high-severity arbitrary code execution vulnerability in Language Servers for AWS before version 1.65.0 on all supported platforms, affecting Amazon Q Developer integrations that bundle the vulnerable language server. The issue is described as improper trust boundary enforcement: when a user opens a maliciously crafted workspace and trusts it when prompted, commands embedded in project configuration files can be automatically executed. Supporting reporting attributes the behavior to unsafe handling of workspace-controlled Model Context Protocol (MCP) configuration, including automatic loading of .amazonq/mcp.json and execution of attacker-defined commands/processes without separate consent. Spawned processes may inherit the developer’s environment, exposing credentials and secrets present in the session.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows attacker-controlled command execution in the developer’s local environment under the context of the user running the IDE. Because the executed processes can inherit the user environment, impact can include theft of active AWS credentials, cloud CLI tokens, API keys, SSH agent access, and other secrets, enabling follow-on cloud compromise, lateral movement, persistence, unauthorized access to internal services, and broader integrity and availability impacts on connected environments.

Mitigation

If you can’t patch tonight, do this now.

No workaround is available according to the AWS advisory. Until patched, avoid opening untrusted repositories or workspaces, and do not trust suspicious projects when prompted. Review workspace configuration content such as .amazonq/mcp.json or related project configuration files before enabling trust, and carefully evaluate any MCP server consent prompts in updated versions.

Remediation

Patch, then assume compromise.

Upgrade Language Servers for AWS to version 1.65.0 or later. AWS advisory content further recommends upgrading to Language Servers for AWS 1.69.0 or later and updating affected Amazon Q Developer IDE plugins to fixed releases that bundle the remediated language server. Where applicable, upgrade plugin versions to the vendor-fixed releases for the relevant IDE and patch any forked or derivative code to incorporate the fixes.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Amazon Web ServicesLanguage Servers For Awsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

27 SOURCESView more in app

scworldNews

Jun 26, 2026

Amazon Q Developer extension vulnerability could have exposed cloud credentials | brief | SC Media

A command execution vulnerability in the Amazon Q Developer extension caused by automatic execution of commands from workspace configuration files without user consent, potentially enabling theft of cloud credentials and API keys.

cyber security newsNews

Jun 26, 2026

Amazon Q Vulnerability Let Attackers Execute Code and Access Sensitive Cloud Environments

An improper trust boundary enforcement vulnerability in Amazon Q Developer components that allowed MCP configurations from repository workspace files to auto-execute without user consent, enabling arbitrary code execution and credential theft when a developer opened a malicious repository.

security weekNews

Jun 26, 2026

Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories - SecurityWeek

A high-severity vulnerability in Amazon Q Developer plugins/language server where workspace-embedded configuration files could be auto-executed without user permission, enabling attacker-controlled command execution and theft of cloud credentials and API keys from a developer environment.

the hacker newsNews

Jun 26, 2026

Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs

A high-severity flaw in Amazon Q Developer / Language Servers for AWS that allowed a malicious repository to define an MCP server via .amazonq/mcp.json, leading to command execution and theft of developer cloud credentials after the workspace was trusted.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity18

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-12957

NVD

nvd.nist.gov/vuln/detail/CVE-2026-12957

MITRE CWE · CWE-501

cwe.mitre.org