Amazon Q vulnerability enables code execution and credential theft in Git repositories

Researchers at Wiz discovered a high-severity vulnerability in Amazon Q, AWS's AI coding assistant for Visual Studio Code. The flaw, registered as CVE-2026-12957 with a CVSS 4.0 score of 8.5 (out of 10), allows a manipulated Git repository to execute arbitrary code on the developer's machine and steal cloud credentials. This finding, reported by The Register, exposes a systemic weakness in the implementation of the Model Context Protocol (MCP) that affects not only AWS but an entire generation of AI coding assistants.

What happened?

The problem lies in how Amazon Q handles Model Context Protocol (MCP) configurations. When a developer opens a project containing an .amazonq/mcp.json file and activates Amazon Q, the extension automatically loads that file and executes the commands it contains, without requesting confirmation or verifying workspace trust. According to Wiz, 'the security model assumes the user explicitly configures these servers,' but the vulnerability violates that assumption. Specifically, the AI assistant launches local processes that inherit the entire developer environment, including AWS credentials, API keys, authentication tokens, SSH agent sockets, and other secrets loaded in the session. 'The combination meant that a single malicious configuration file could execute arbitrary commands with full access to the developer's credentials, without user interaction beyond opening the folder and activating Amazon Q,' the researchers explained.

To demonstrate the attack, Wiz built a repository with a malicious MCP configuration. Upon opening the project and activating Amazon Q, the extension executed a command against AWS using the developer's existing credentials. The vulnerability was reported to AWS, which fixed it in version 1.65.0 of its language server. 'We thank Wiz for collaborating with us on this issue. We have remediated the issue in version 1.65.0 of the language server,' Amazon stated in an advisory, though it did not respond to additional questions from The Register.

Why is this important?

This vulnerability is not an isolated case. Wiz notes it is an industry-wide problem, as more AI coding assistants adopt MCP to connect models to local tools and services. Similar flaws in workspace configuration files have recently appeared in other AI tools. Attackers have found a new place to lurk: hidden files that developers rarely question. The potential impact is enormous. A malicious repository, when cloned and opened, could compromise not only the developer's machine but also the entire cloud infrastructure to which it has access. Given that many developers work with multiple projects and public repositories, the risk of propagation is high. Historically, similar attacks have occurred in editors like Vim and Emacs, where configuration files such as .vimrc or .emacs could execute commands when opening a project. However, the novelty here is that execution occurs through an AI assistant, amplifying the risk due to the implicit trust developers place in these tools.

According to Wiz, the vulnerability stems from Amazon Q not properly implementing the concept of 'trusted workspace,' a common feature in editors like VS Code that warns users before executing code from an untrusted project. While VS Code displays a message asking whether to trust the project author, Amazon Q ignored that check and loaded the MCP configuration automatically. This allowed any repository, even one cloned from an unknown source, to execute arbitrary commands without consent.

What will be the consequences?

Amazon has fixed the bug in version 1.65.0 of its language server, which powers Amazon Q integrations in IDEs. Existing installations should receive the patched component automatically, unless automatic updates have been blocked. However, the security community expects this incident to push other AI assistant providers to review their MCP implementations and adopt stricter security measures, such as requesting explicit consent before loading configurations. Additionally, Wiz recommends that providers implement integrity checks on MCP files and limit the permissions of processes launched by AI assistants. For developers, the lesson is clear: be cautious with repositories from unknown sources and keep development tools updated. It is also advisable to review hidden configuration files in projects before opening them with AI assistants.

The incident also highlights the need for cloud providers like AWS to strengthen the security of their AI tools. Since Amazon Q is integrated into AWS, a successful attack could escalate from the developer's machine to cloud resources such as S3 buckets, databases, or Lambda functions. Wiz has already demonstrated that it is possible to execute AWS CLI commands using the developer's credentials, which could lead to data exfiltration or lateral movement within the AWS account.

What should readers know?

If you are a developer using Amazon Q in VS Code, ensure you have the latest version of the language server (1.65.0 or higher). Avoid opening repositories from untrusted sources while Amazon Q is active. Consider temporarily disabling the extension if working with unknown projects. Also, pay attention to .amazonq/mcp.json files in repositories you clone. For security administrators, it is recommended to audit the use of AI assistants in development environments and establish policies that restrict automatic execution of configurations. At the industry level, this case should serve as a catalyst for redesigning MCP with a more robust security model, similar to how browser extensions or mobile app permissions are handled.

The CVE-2026-12957 vulnerability is a reminder that the convenience of AI assistants should not sacrifice security. Automating trust is a risk the industry must urgently address. As Wiz noted, 'the problem is not just Amazon's, it's the entire industry's.' Adopting MCP without proper safeguards could turn AI assistants into privileged attack vectors.