Breaking

AWS Patches Amazon Q Developer Flaw That Could Expose AWS Keys via Repos

June 26, 2026 at 10:47 EDT

Security
Software Dev & Coding
AI Agents

AWS on June 23 disclosed and fixed two vulnerabilities in Language Servers for AWS, the runtime underpinning its AI coding assistant Amazon Q Developer. Opening a malicious repository and trusting the workspace could let an attacker run arbitrary code using the developer's AWS credentials.

June 23 · AWS Security Bulletin 2026-047

Amazon Q Developer Flaw Could Leak Your AWS Keys From a "Trusted" Folder

A malicious repository could run arbitrary code and steal AWS credentials the moment a developer opens it and clicks "trust this folder" — no extra approval, no second sign-in.

8.5

CVSS score (High) for CVE-2026-12957

IDE plugins affected: VS Code, JetBrains, Eclipse, Visual Studio

Confirmed real-world exploits at disclosure

CVEs patched (12957 & 12958)

HOW ONE CLICK BECOMES CODE EXECUTION

STEP 1

Open a malicious repository in the IDE

→

STEP 2

Approve "do you trust this folder?"

→

STEP 3

Commands in .amazonq/mcp.json run automatically

→

RESULT

AWS credentials inherited & exfiltrated

No separate MCP approval and no additional sign-in required. The trusted process inherits the developer's existing AWS keys.

NOT JUST AMAZON Q — AN INDUSTRY-WIDE PATTERN

Multiple AI coding tools have hit RCE issues via MCP configuration — the shared risk of agents that "trust project settings."

Amazon Q · CVE-2026-12957 Claude Code · CVE-2025-59536 Cursor · CVE-2025-54136 Windsurf

THE FIX — NO WORKAROUND, UPDATE NOW

Patched in Language Servers for AWS v1.69.0+. Minimum patched plugin versions:

Amazon Q for VS Code

v2.20+

JetBrains

v4.3+

Eclipse

v2.7.4+

Visual Studio (AWS Toolkit)

v1.94.0.0+

Continue reading

The rest of this article is for AI News Blitz readers. Choose an option below to keep reading.