Amazon Q Developer vulnerability: how a single config file at clone time can expose your AWS credentials

A high-severity vulnerability in Amazon Q Developer showed that a single MCP configuration file in a cloned repository can silently start a malicious server and hand over the developer's AWS credentials with zero user interaction. Here is what happened, why it matters for teams shipping AI products, and what to do now.

What happened

Wiz Research discovered an Amazon Q Developer vulnerability, tracked as CVE-2026-12957, that exploited how the AI coding assistant loads MCP (Model Context Protocol) servers. An attacker places a .amazonq/mcp.json file inside a code repository. When a developer clones and opens that repo in an IDE with the Amazon Q Developer extension, the MCP configuration file automatically registers and starts an attacker-controlled MCP server with no prompt or consent step.

That server inherits the developer's full AWS credentials, IAM role, and any other environment variables available to the IDE plugin. Wiz built a proof of concept that ran a standard AWS identity command through the malicious MCP server and sent the output to an external server, returning the developer's AWS account ID, user ARN, and session credentials.

Amazon patched the issue on May 12 after Wiz reported it on April 20. The fix requires explicit user approval before any MCP server can start and restricts the environment variables that MCP servers can access. A second flaw, CVE-2026-12958, involved the plugin not checking symbolic links when writing workspace files, enabling arbitrary file writes. Amazon released updates for Language Servers for AWS and IDE plugins across VS Code, JetBrains, Eclipse, and Visual Studio. There is no evidence the flaw was exploited in the wild, per CISA.

Why AI builders should care

MCP is a protocol that lets AI coding assistants connect to external tools and data sources. By design, it gives AI assistants the ability to call external tools with whatever permissions the host application holds. When a repository can silently register an MCP server that inherits a developer's cloud credentials, the attack surface expands from the code itself to every service the developer can access.

This is not an isolated problem. Anthropic's Claude Code was found vulnerable to a similar credential-theft attack through prompt injection in GitHub Actions earlier this year. Cursor and Codeium's Windsurf have also disclosed MCP-related vulnerabilities in recent months. If you maintain internal tooling or documentation that uses MCP, this pattern is directly relevant to your threat model.

Practical implications

For teams using Amazon Q Developer, the fix is straightforward but urgent. Update IDE plugins to the latest available versions across VS Code, JetBrains, Eclipse, and Visual Studio immediately. Audit any repositories your team has cloned recently for unexpected .amazonq/mcp.json configurations.

If you are building AI-powered developer tools, consider adding explicit consent steps for any configuration file that can trigger tool execution at clone time. The same MCP mechanics that make the protocol powerful also make it a supply chain vector.

Caveats

Amazon patched both issues before public disclosure, and no confirmed in-the-wild exploits exist per advisories. The PoC demonstrated credential exfiltration in a controlled test, and actual attacker behavior may differ by environment. Some details rely on vendor and security research reports; verify with official advisories for your specific IDE and plugin versions.

FAQs

What is Amazon Q Developer and how does it relate to AWS credentials?

Amazon Q Developer is an AI-powered coding assistant that can load external tools and data sources through MCP (Model Context Protocol) servers. When an MCP server is started from a repository configuration file, it inherits the developer's environment variables, including AWS credentials and IAM roles. The CVE-2026-12957 vulnerability exploited this by auto-starting a rogue MCP server from a cloned repo's config file with no user consent, allowing credential theft in the Wiz Research proof of concept. Source

What happened in CVE-2026-12957 and CVE-2026-12958?

CVE-2026-12957 is a high-severity vulnerability where an attacker-controlled MCP server auto-starts from a .amazonq/mcp.json file in a cloned repository and can steal the developer's AWS credentials without any consent step. CVE-2026-12958 is a separate flaw where the plugin did not check symbolic links when writing workspace files, allowing arbitrary file writes on the developer's system. Amazon patched both issues in updated Language Servers for AWS and IDE plugins. Source 1 Source 2

How can I protect my development environment from MCP-based attacks?

Update your Amazon Q Developer IDE plugins to the latest versions across VS Code, JetBrains, Eclipse, and Visual Studio. Audit repositories you have cloned recently for unexpected .amazonq/mcp.json files. Review and limit the environment variables exposed to MCP servers in your development workflow. The vendor patch also added explicit user approval before MCP server startup. Source 1 Source 2

What patches did Amazon release and how to apply them?

Amazon patched CVE-2026-12957 by requiring explicit user approval before any MCP server can start and by restricting the environment variables that MCP servers can access. CVE-2026-12958 was fixed by adding symbolic link checks during file writes. Apply the updates through the latest releases of Language Servers for AWS and the corresponding IDE plugins for VS Code, JetBrains, Eclipse, and Visual Studio. Source 1 Source 2