Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs

A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer's cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it. Tracked as CVE-2026-12957 (CVSS 8.5), the bug sat in how Amazon's AI coding assistant handled Model Context Protocol (MCP) servers. Wiz

The article reports a high-severity vulnerability (CVE-2026-12957, CVSS 8.5) in Amazon Q Developer’s Language Servers for AWS, where a malicious repository could include an MCP configuration file that, once the workspace is trusted, causes Amazon Q to auto-launch attacker-controlled MCP servers, execute arbitrary commands, and exfiltrate the developer’s AWS credentials and environment variables.[2][1][3][4][6] Amazon has patched the issue by requiring explicit approval before starting MCP servers and by upgrading Language Servers for AWS and all affected IDE plugins.[1][2][3][4] From a CyberSE.AI perspective, this is a clear case of AI agent abuse and AI supply chain risk: the AI coding assistant is being used as an execution and credential-theft vector via config-driven tool integrations, highlighting the need for strict trust boundaries, explicit tool-launch consent, environment variable scoping, and continuous red-teaming of AI agents that can run code or access cloud credentials.