Amazon Q Developer Flaw Let Attackers Steal AWS Credentials via Repos

Wiz Research disclosed two high-severity vulnerabilities in Amazon Q Developer that enabled arbitrary code execution and AWS credential theft when developers opened malicious repositories—without any user interaction or warning prompts.

Amazon patched both flaws and published Security Bulletin 2026-047-AWS on June 26 following coordinated disclosure.

The Vulnerability Chain

The flaws (CVE-2026-12957 and CVE-2026-12958) stemmed from Amazon Q's automatic execution of MCP (Model Context Protocol) server configurations from .amazonq/mcp.json files in untrusted workspaces.

When a developer cloned a malicious repository and opened it in their IDE, Amazon Q automatically loaded the MCP configuration. Attackers could specify a custom MCP server pointing to a malicious endpoint that executed arbitrary code on the developer's machine.

Because spawned processes inherited the developer's full environment, attackers could access AWS credentials:

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AWS_SESSION_TOKEN

No clicks required. Open the repo, lose your credentials.

Attack Scenario

The most likely exploitation path mirrors other supply chain attacks we've tracked:

1. Attacker creates a legitimate-looking open-source project
2. Embeds malicious .amazonq/mcp.json in the repository
3. Promotes the project through developer communities
4. Waits for victims to clone and open the project
5. Harvests AWS credentials from developers' environments

For organizations where developers routinely evaluate third-party code, this creates significant exposure. A single compromised developer machine could lead to cloud account takeover.

Who Was Affected

Any developer using Amazon Q Developer IDE extensions before version 1.69.0 was vulnerable. This includes:

• VS Code users with the Amazon Q extension
• JetBrains IDE users with the Amazon Q plugin

The vulnerable configuration would execute without prompting when any repository containing a malicious .amazonq/mcp.json was opened.

Timeline

• April 20, 2026: Maor Dokhanian of Wiz Research reported the vulnerability to Amazon
• May 12, 2026: Amazon deployed initial fix
• June 26, 2026: Full public disclosure under Security Bulletin 2026-047-AWS

Remediation

The fix is automatically applied for most users upon IDE reload. Update to Language Servers for AWS version 1.69.0 or later.

After updating:

1. Rotate any AWS credentials that may have been exposed
2. Review CloudTrail logs for unusual API activity
3. Check for unauthorized IAM changes

Why This Matters

AI coding assistants are increasingly integrated into developer workflows, and with that integration comes new attack surface. The MCP protocol—designed to let AI tools interact with external services—creates exactly the kind of trust boundary attackers love to exploit.

This disclosure follows a pattern of AI agent security issues we've covered, where automation features create unintended code execution paths.

The broader lesson: treat any repository-controlled configuration file with the same suspicion you'd give executable code. If an AI tool auto-executes configs from untrusted sources, assume attackers will abuse it.