TL;DR

Amazon Q Developer automatically loaded MCP server configurations from .amazonq/mcp.json in any opened workspace — without user consent or trust verification — and spawned those servers as unsandboxed processes inheriting the developer's live AWS credentials. Opening a malicious repository was sufficient to execute attacker code and exfiltrate AWS keys, cloud tokens, SSH sockets, and API secrets. Patched in Language Servers for AWS 1.65.0 (released May 12, 2026); Wiz Research disclosed publicly June 26, 2026.

What happened

Amazon Q Developer is AWS's AI coding assistant, available as a plugin for VS Code, JetBrains, Eclipse, and Visual Studio. Like other AI coding assistants in this class (Claude Code, Cursor, Gemini CLI), it supports Model Context Protocol (MCP) servers — local processes the assistant spawns to access databases, APIs, build tools, and other developer infrastructure.

On April 20, 2026, Wiz Research reported two vulnerabilities to AWS:

CVE-2026-12957 — MCP config auto-execution without workspace trust (CVSS 8.5)

Amazon Q read .amazonq/mcp.json from any opened workspace and immediately launched the MCP servers it defined — without prompting the developer for consent or verifying that the workspace was trusted. The launched processes inherited the developer's full environment, providing attackers immediate access to:

  • AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
  • Cloud CLI tokens (GCP, Azure, any others in the environment)
  • API secrets and SSH agent sockets
  • ~/.aws/credentials, ~/.kube/config, and other credential files reachable from the environment

Wiz demonstrated the complete attack chain using aws sts get-caller-identity — a single cloned repo could escalate from "git clone" to full cloud account access.

A missing symlink check in the workspace file processor allowed an attacker to construct symlinks that pointed outside the workspace trust boundary, enabling arbitrary file writes to the developer's home directory. This bypassed the workspace isolation that MCP server restrictions were meant to enforce.

Attack vectors:

  • A public repository with a malicious .amazonq/mcp.json (fake coding tests, AI-demo repos, open-source contributions)
  • A typosquatted or Shai-Hulud-poisoned package that plants .amazonq/mcp.json in the project directory
  • A malicious pull request to an existing repository

This is the same attack class as: - Claude Code CVE-2025-59536 — CLAUDE.md/hooks auto-execute on folder trust - Cursor CVE-2025-54136 — auto-run on repository open - Windsurf CVE-2026-30615 — zero-click MCP RCE - TrustFall — five AI CLIs auto-execute MCP servers on folder-trust dialog

The pattern is systemic: every AI coding assistant that reads workspace config files and spawns processes before establishing trust is a potential "git clone to cloud compromise" vector.

No known public exploitation was reported before the patch was released. AWS auto-updates the language server unless network configuration prevents it.

Am I affected?

You are exposed if you use Amazon Q Developer and have not updated.

Check your current Language Server for AWS version:

# In VS Code: Help → About → show all versions (look for Amazon Q Language Server)
# Or check the AWS extension output channel for version info

# Check installed plugin versions:
# VS Code:    Extensions view → Amazon Q → check version (need ≥ 2.20)
# JetBrains:  Plugins → Amazon Q → check version (need ≥ 4.3)
# Eclipse:    Help → Install New Software (need ≥ 2.7.4)
# VS (Win):   Extensions → Amazon Q Toolkit (need ≥ 1.94.0.0)

Check if your repo has a malicious .amazonq/mcp.json:

# Look for unexpected MCP server definitions in your project
cat .amazonq/mcp.json 2>/dev/null

# Check for recently added/modified mcp.json files
git log --all --oneline -- .amazonq/mcp.json

# Look for unexpected commands in the mcp definition
grep -r '"command"' .amazonq/ 2>/dev/null

Audit for unexpected cloud activity:

# Check for unauthorized AWS STS calls (CloudTrail)
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=GetCallerIdentity \
  --start-time 2026-04-20T00:00:00Z \
  --query 'Events[*].[EventTime,Username,SourceIPAddress]' \
  --output table

If you are affected

  1. Update immediately to Language Servers for AWS ≥ 1.69.0 (AWS's recommended target). The language server auto-updates unless the network blocks it; reload your IDE to pull the latest build.
  2. If you opened any untrusted repositories between November 2025 (when MCP support shipped) and May 12, 2026, rotate your AWS credentials immediately.
  3. Review CloudTrail for unexpected GetCallerIdentity, AssumeRole, or API calls from developer workstations during the vulnerable window.
  4. Remove any .amazonq/mcp.json file from your repository that you didn't author, or verify every command entry in existing ones.

See also: - Rotating cloud credentials playbook - If your local AI agent was exploited

Prevention

  • Keep AI coding tools on latest — many AI tool security fixes ship with no CVE or advisory. Auto-update or check weekly.
  • Review .amazonq/mcp.json, .mcp.json, .claude/settings.json, and .cursor/ in every repo before opening with an AI coding assistant. These files define what processes the assistant will spawn.
  • Never open repositories from untrusted sources directly with an AI coding assistant. Clone first, inspect config files, then open.
  • Gate changes to AI-tool config files behind CODEOWNERS review in any collaborative repo.
  • Apply minimal-privilege IAM: developer workstation roles should have session duration limits (e.g., 1-hour STS tokens) and aws:SourceIp conditions where practical — this limits the blast radius if credentials are exfiltrated.
  • See: MCP hygiene, Credential hygiene

Sources