Critical Security Vulnerabilities Discovered in Amazon Q Developer Extension for Visual Studio Code
Recent findings have unveiled significant security vulnerabilities in the Amazon Q Developer Extension for Visual Studio Code, exposing developers to risks associated with arbitrary code execution and the potential theft of cloud credentials. These vulnerabilities, identified as CVE-2026-12957 and CVE-2026-12958, underscore serious concerns regarding the management of trust boundaries within AI coding assistants.
The core of this issue resides in the way Amazon Q handles its Model Context Protocol (MCP) server configurations. These MCP servers are designed to act as local processes that enhance the capabilities of AI assistants, allowing them to interact seamlessly with APIs, databases, and local resources. However, the manner in which these configurations are processed poses a grave security risk.
Amazon Q automatically retrieves these configurations from a concealed .amazonq/mcp.json file situated within workspace directories, doing so without the necessity for user consent or verification of workspace trust. This design flaw means that, when a malicious configuration is invoked, the processes that emerge inherit the complete environment of the user. Consequently, this grants immediate access to sensitive and critical data, including AWS credentials such as access key IDs, secret access keys, session tokens, API keys, and SSH agent sockets.
Security experts from Wiz unveiled a proof-of-concept that demonstrated how a simple Bash command included within a malicious configuration could trigger identity commands and transmit captured AWS sessions to a server controlled by an attacker. Alarmingly, exploiting this vulnerability requires minimal interaction from the user. An attacker merely needs to insert a harmful configuration file into a code repository and await a developer’s cloning and opening of the folder in an Integrated Development Environment (IDE) where Amazon Q is active. The extension then executes the embedded configuration commands silently, without any alerts or warnings.
Threat actors can exploit this vulnerability through various channels, including the deployment of poisoned repositories. Common methods for spreading these malicious repositories include typosquatted packages, hazardous pull requests directed at popular open-source projects, and compromised software dependencies. Notably, certain threat groups associated with the Democratic People’s Republic of Korea (DPRK) have frequently utilized deceptive job interview coding tests as a delivery strategy, representing a highly plausible and concerning attack scenario.
Should an attacker successfully exploit this vulnerability, they could gain the ability to create backdoors for IAM (Identity and Access Management) users, maintain persistence in cloud environments, or pivot into internal production systems by leveraging inherited VPN contexts.
The vulnerability was identified by Wiz researcher Maor Dokhanian on April 17, 2026, with immediate reporting to Amazon Security on April 20. In response, Amazon released an initial update for the language server on May 12, followed by public disclosure of the issue on June 26, 2026. The two CVEs specifically address two critical issues: improper enforcement of trust boundaries (CVE-2026-12957) and a lack of symlink validation (CVE-2026-12958).
Developers utilizing Amazon Q must ensure that their environments are updated beyond specific vulnerable plugin versions. For example:
| Product | Vulnerable Version |
|---|---|
| Language Servers for AWS | < 1.69.0 |
| Amazon Q Developer for VS Code | < 2.20 |
| Amazon Q Developer for JetBrains | < 4.3 |
| Amazon Q Developer for Eclipse | < 2.7.4 |
| AWS Toolkit with Amazon Q for Visual Studio | < 1.94.0.0 |
In most instances, the AWS language server updates automatically, meaning that a simple reload of the IDE can implement the patch. Developers are advised to regularly audit their workspace directories for any unexpected .amazonq/ folders and to treat unfamiliar repositories with a high degree of caution.
This incident is part of a broader pattern involving MCP auto-execution vulnerabilities that have emerged within the AI development ecosystem. Similar issues have been highlighted in other products, such as Claude Code (CVE-2025-59536, CVE-2026-21852), Cursor (CVE-2025-54136), and Windsurf (CVE-2026-30615).
The proliferation of these vulnerabilities suggests an urgent need for the cybersecurity community to standardize configurations to ensure trustworthiness within all AI-assisted development tools. As the landscape of cybersecurity becomes increasingly complex and interconnected, organizations must adopt proactive measures to mitigate risks associated with these emerging threats.