A vulnerability in the Amazon Q Developer allowed malicious repositories to obtain AWS credentials through compromised MCP servers.

      A critical vulnerability in Amazon Q Developer allowed the automatic loading of compromised MCP servers from cloned repositories, enabling attackers to stealthily acquire AWS credentials. This flaw, identified by Wiz Research as CVE-2026-12957, was reported to Amazon on April 20 and subsequently patched on May 12, with the public disclosure occurring today.

      The attack took advantage of how Amazon Q Developer manages MCP servers, which facilitate connections between AI coding assistants and external tools and data sources. A configuration file within a repository could automatically register and initiate an attacker-controlled MCP server when a developer cloned the project, bypassing any prompt or consent requirement. This server would then inherit the complete AWS credentials, IAM role, and any available environment variables from the developer's IDE.

      Wiz researchers showcased the vulnerability by creating a proof of concept that executed a standard AWS identity command via the malicious MCP server, transmitting the results to an external server. The command retrieved the developer’s AWS account ID, user ARN, and session credentials—essential information for attackers looking to access cloud resources. Since the MCP server launched automatically upon opening the repository, the attack required no further interaction other than cloning the code, a method that has previously led to supply chain breaches in other AI coding tools.

      Amazon addressed the issue by mandating explicit user consent before any MCP server can be initiated and by limiting the environment variables accessible to MCP servers. Additionally, a second vulnerability discovered during the same audit, CVE-2026-12958, indicated that the plugin did not verify symbolic links when generating workspace files, allowing an attacker to write arbitrary files on a developer’s machine. Amazon has released updates for the Language Servers for AWS and the corresponding IDE plugins for VS Code, JetBrains, Eclipse, and Visual Studio to rectify both vulnerabilities.

      This disclosure adds Amazon Q Developer to a growing roster of AI coding tools that have been found susceptible to supply chain attacks, which exploit the trust these tools place in repository contents. Earlier this year, Anthropic's Claude Code was discovered to be vulnerable to a similar credential-theft attack via prompt injection in GitHub Actions. In recent months, Cursor and Codeium’s Windsurf have also reported MCP-related vulnerabilities.

      The core issue stems from MCP's inherent design, which grants AI assistants the capability to call external tools using the permissions of the host application. When a repository can silently activate an MCP server that inherits a developer’s cloud credentials, the potential attack surface extends beyond just the code itself to encompass every service the developer can access. Amazon asserts that there is no evidence suggesting the vulnerability was exploited in real-world scenarios, and CISA's advisory database does not list any known attacks.

      Developers utilizing Amazon Q Developer are urged to update their IDE plugins to the latest available versions immediately and to review any repositories they have recently cloned for unexpected configuration files. The overarching lesson reiterates a recurring theme across AI developer tools: any configuration file capable of initiating code execution upon cloning represents a potential threat, and the tools that execute it automatically risk leaving their safety mechanisms disabled.

      Published June 26, 2026 - 4:49 pm UTC