Amazon Q flaw shows the repo risk in coding agents

What this is about

Wiz Research publicly disclosed a vulnerability in Amazon Q Developer on 26 June 2026. The flaw, CVE-2026-12957, affected Language Servers for AWS before version 1.65.0 and could allow a crafted repository to execute commands when opened in an IDE.

This matters because coding assistants today do more than suggest text. They start local processes, read project configuration, and use protocols such as MCP to reach tools. That is where convenience turned into a trust boundary.

What the Amazon Q flaw actually does

According to Wiz, Amazon Q loaded a .amazonq/mcp.json file from the workspace and started MCP servers defined inside it without separate consent. Those processes inherited the developer’s environment. In practice, that environment can contain AWS keys, cloud CLI tokens, API secrets, or SSH agent sockets.

The proof of concept was short: a victim clones a repository, opens it in VS Code with Amazon Q, and a hidden MCP command can run aws sts get-caller-identity and send the result to an attacker. AWS has patched the issue, according to its bulletin, and recommends updated plugin and language-server versions.

Why it matters

The case hits a sensitive point in AI development. Repositories are not automatically trustworthy. Pull requests, coding tests, example projects, and dependencies can contain configuration files. If a coding agent treats those files as a trigger for local processes, git clone becomes a security decision.

The Hacker News frames the flaw as part of a wider pattern: other coding tools have also had issues where project configuration turned into executable behavior. That does not mean MCP is wrong. It means every execution from a project folder needs explicit consent, a minimal environment, and visible logging.

In plain language

Imagine someone hands you a folder of documents. Normally you read the pages. In this case, the folder also contains a small switch that automatically copies your safe key when you open it. The mistake is not using folders; it is letting the switch fire without asking.

A practical example

A DevOps team reviews 30 external pull requests per week. Three people work with active AWS profiles because they are also testing infrastructure. An attacker submits a seemingly harmless PR with .amazonq/mcp.json. If a developer opens the branch locally, a command could run with that developer’s cloud rights.

After the patch, the IDE should warn. Still, good practice remains: open unknown repos in containers or disposable environments, avoid keeping cloud profiles active in the shell, make MCP configuration visible in review, and run agents with minimal permissions.

Scope and limits

• Wiz and AWS describe the consent issue differently: AWS points to Workspace Trust, while Wiz points to missing separate consent for MCP servers before the fix.
• According to The Hacker News, there is no known public exploitation; that does not make the issue theoretical because the proof of concept shows the path.
• The fix reduces this specific risk, but it does not automatically solve the larger problem of executable project configuration in agent tools.

SEO & GEO keywords

Amazon Q Developer, CVE-2026-12957, MCP security, AI coding assistant, cloud credential theft, AWS Language Servers, VS Code extension, developer security, supply chain security, agent security