Critical vulnerability in Amazon Q Developer exposes AWS credentials

What happened?

On May 12, 2026, Amazon patched a critical vulnerability in its AI coding assistant, Amazon Q Developer. The flaw, discovered by Wiz Research researchers and tracked as CVE-2026-12957 (CVSS score 8.7, high severity), allowed a malicious code repository, when cloned by a developer, to execute arbitrary commands on their local machine and steal their AWS credentials. The attack exploited Amazon Q's Model Context Protocol (MCP) feature, which allows the tool to interact with the file system and execute commands. By including a malicious configuration file in the repository, the attacker could trick Amazon Q into reading credentials stored in ~/.aws/credentials and sending them to an external server. Wiz Research reported the vulnerability to Amazon on April 20, 2026, and the fix was implemented on May 12, with public disclosure on June 3. This incident occurs in a context where AI assistants for developers have grown exponentially: according to GitHub data, Copilot already has over 1.8 million paid users as of early 2026, and Amazon Q Developer, launched in 2023, has been adopted by more than 100,000 companies. The vulnerability underscores the security risks inherent in deep integration of AI into the development workflow.

Why is it important?

This vulnerability is particularly serious because it affects a widely used AI tool that developers rely on to boost productivity. A successful attack could compromise all AWS accounts and resources associated with the stolen credentials, allowing the attacker to access sensitive data, launch costly instances, or perform other malicious actions. Moreover, the attack required no user interaction beyond cloning a repository, making it difficult to detect. This incident highlights the security risks inherent in AI assistants that have access to file systems and operating system commands, a topic that has been debated in the security community since the emergence of similar tools like GitHub Copilot. In 2024, a Stanford University study demonstrated that AI assistants can be manipulated to execute malicious code if proper access controls are not implemented. The Amazon Q flaw is a concrete example of this theory. The potential impact is enormous: according to AWS data, more than 60% of Fortune 500 companies use AWS cloud services, and many of them employ Amazon Q Developer. A successful attack could have compromised critical infrastructures. Additionally, AWS credential theft allows attackers to move laterally within the cloud, accessing databases, S3 buckets, or Lambda functions. This could result in massive data breaches, like the one at Capital One in 2019, where an attacker exploited a misconfigured firewall to steal data from 100 million customers. The Amazon Q vulnerability is similar in its ability to cause large-scale damage.

Consequences and lessons

Amazon has fixed the vulnerability, but the case leaves several important lessons:

• Audit AI assistant permissions: Developers should review what permissions AI tools have in their environments and limit their access to sensitive resources. For example, restrict access to credential files using access control lists (ACLs) or use secret management tools like AWS Secrets Manager.
• Do not blindly trust external repositories: Even when cloning repositories from seemingly trustworthy sources, there is a risk they contain malicious configurations. This attack is an example of repository poisoning, similar to software supply chain attacks that have affected npm and PyPI in recent years.
• Monitor tool behavior: Organizations should implement monitoring solutions that detect unusual access to credential files or suspicious outbound communications. Tools like AWS CloudTrail or GuardDuty can help identify anomalous activities.
• Layered security architecture: The vulnerability underscores the need to apply the principle of least privilege even to internal tools. Amazon Q Developer, having access to the local file system, should run in an isolated environment or with restricted permissions.

“This vulnerability is a reminder that the convenience of AI assistants should not sacrifice security. Every new permission granted to these tools expands the attack surface.” — Comment from a security analyst cited by The Next Web.

Compared to previous incidents, such as the GitHub Copilot security flaw in 2024 that allowed code injection through comments, the Amazon Q vulnerability is more dangerous because it requires no user interaction beyond cloning a repository. Additionally, the use of MCP as an attack vector is novel and could inspire similar attacks on other tools that implement context protocols.

What should readers know?

If you are an Amazon Q Developer user, make sure you have the latest version installed (after May 12, 2026) that includes the patch for CVE-2026-12957. Amazon has released an automatic update for AWS customers, but independent developers should manually verify. Also, consider rotating your AWS credentials as a precaution, especially if you have recently cloned unknown repositories. Review your organization's security policies regarding the use of AI assistants and promote awareness of this type of attack. Companies should consider implementing web application firewalls (WAF) and intrusion detection systems (IDS) that monitor outbound traffic from developer machines. As a best practice, store AWS credentials in secret managers rather than local files. The security community hopes this incident will drive AI assistant providers to adopt more robust security measures, such as sandboxed execution and human code review before executing commands.