A significant vulnerability has been identified in the Amazon Q Developer Extension for Visual Studio Code, which is Amazon’s AI-enhanced coding tool. This vulnerability, tracked as CVE-2026-12957 and CVE-2026-12958, was revealed by Wiz Research. The flaws allowed attackers to execute arbitrary code and steal cloud credentials when a developer opened a malicious repository.
The core issue stemmed from Amazon Q’s behavior of automatically loading Model Context Protocol (MCP) server configurations from the .amazonq/mcp.json file in workspace directories, without requiring user consent or verifying workspace trust. This, coupled with the automatic inheritance of environmental variables by processes started by the extension, created a critical attack vector.
When a developer interacted with a compromised repository while using Amazon Q, the extension would execute commands embedded in the malicious configuration file without any alerts. As a result, attackers could gain access to the developer’s active AWS session credentials, allowing them to exfiltrate this sensitive information to an attacker-controlled server.
Amazon has addressed these vulnerabilities in their Language Servers for AWS version 1.69.0. For most users, the language server updates automatically when the IDE is reloaded, so no additional action is required if the system is already updated.
Despite the patch, developers are advised to remain vigilant and take necessary precautions. This issue highlights a broader pattern of vulnerabilities in AI coding tools. Similar auto-execution risks have been identified in other tools like Claude Code and Windsurf, indicating a systemic issue that requires industry-wide attention.
The vulnerabilities in Amazon Q were discovered by Maor Dokhanian from Wiz Research and responsibly disclosed to Amazon on April 20, 2026. Amazon released an initial fix on May 12, 2026, and made a full public disclosure on June 26, 2026, through Security Bulletin 2026-047-AWS.


