Amazon Q Vulnerability Let Attackers Execute Code and Access Sensitive Cloud Environments
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A high-severity vulnerability in the Amazon Q Developer Extension for Visual Studio Code (VS Code), Amazon\u2019s AI-powered coding assistant.<\/p>\n
Tracked as CVE-2026-12957 and CVE-2026-12958 and disclosed by Wiz Research, the flaws allowed attackers to achieve arbitrary code execution and cloud credential theft simply by having a developer open a malicious repository.<\/p>\n
The root cause was Amazon Q\u2019s automatic loading of MCP (Model Context Protocol) server<\/a> configurations from When a developer opened a compromised repository with Amazon Q active, the extension silently executed commands defined in the malicious config. Since spawned processes inherited the developer\u2019s full environment, attackers gained immediate access to:<\/p>\n A minimal proof-of-concept showed<\/a> that a single malicious Two CVEs were assigned as part of this disclosure:<\/p>\n The following product versions are affected:<\/p>\n Beyond opportunistic exploitation, researchers highlighted several targeted attack vectors:<\/p>\n Amazon has patched both vulnerabilities in Language Servers for AWS version 1.69.0. The language server updates automatically for most users; reloading the IDE triggers the update. No action is required for users already on patched versions.<\/p>\n Developers should take these precautions regardless:<\/p>\n This vulnerability reflects a broader pattern across AI coding tools. Check Point Research independently identified CVE-2025-59536 and CVE-2026-21852 in Claude Code, and OX Security discovered CVE-2026-30615 in Windsurf \u2014 all rooted in the same auto-execution risk. MCP auto-execution without consent is now recognized as a systemic industry risk requiring coordinated attention.<\/p>\n The vulnerability was discovered by Maor Dokhanian of Wiz Research and disclosed responsibly to Amazon on April 20, 2026. Amazon deployed the initial fix on May 12, 2026, with full public disclosure on June 26, 2026, under Security Bulletin 2026-047-AWS<\/a>.<\/p>\n Upgrade your proactive defense against attacks. Access\u00a05 proven threat hunting tactics<\/a>\u00a0you can deploy in your SOC<\/strong><\/strong><\/strong>.<\/strong><\/p>\n The post Amazon Q Vulnerability Let Attackers Execute Code and Access Sensitive Cloud Environments<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n.amazonq\/mcp.json<\/code> workspace files without user consent or workspace trust verification. Combined with full environment inheritance by spawned processes, this created a dangerous attack chain.<\/p>\nAmazon Q Vulnerability<\/strong><\/h2>\n
\n
AWS_ACCESS_KEY_ID<\/code>, AWS_SECRET_ACCESS_KEY<\/code>, AWS_SESSION_TOKEN<\/code>)<\/li>\n.amazonq\/mcp.json<\/code> file could exfiltrate active AWS session credentials to an attacker-controlled server \u2014 no clicks, no prompts, no warning.<\/p>\n\n
\n\n
\n \nProduct<\/th>\n Affected Version<\/th>\n<\/tr>\n<\/thead>\n \n Language Servers for AWS<\/td>\n < 1.69.0<\/td>\n<\/tr>\n \n Amazon Q Developer for VS Code<\/td>\n < 2.20<\/td>\n<\/tr>\n \n Amazon Q Developer for JetBrains<\/td>\n < 4.3<\/td>\n<\/tr>\n \n Amazon Q Developer for Eclipse<\/td>\n < 2.7.4<\/td>\n<\/tr>\n \n AWS Toolkit with Amazon Q for Visual Studio<\/td>\n < 1.94.0.0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Attack Scenarios<\/strong><\/h2>\n
\n
.amazonq\/<\/code> configurations<\/li>\n\n
.amazonq\/<\/code> directories in cloned repositories for unexpected MCP configurations<\/li>\n