Adversaries could plant a malicious repository that can execute arbitrary code and steal cloud credentials by exploiting the vulnerability, which showcases growing MCP risk.
June 29, 2026
Amazon Web Services (AWS) has fixed a high-severity security vulnerability in an Amazon Q developer extension that could allow attackers to execute arbitrary code and steal cloud credentials, just by convincing a developer to open a malicious repository. The flaw involves an issue with Model Context Protocol (MCP) servers, which are emerging as a weak security link in organizational artificial intelligence (AI) infrastructure.
Researchers from Wiz Research discovered the bug, tracked as CVE-2026-12957, in the Amazon Q Developer extension for Visual Studio Code, according to a recent blog post. The flaw stemmed from Amazon Q's handling of MCP, which by default automatically loaded and executed MCP server configurations from workspace files without requiring user approval.
Because these spawned processes inherited the developer's full environment, an attacker could potentially access AWS credentials, API keys, SSH agent sockets, and other sensitive secrets available in the developer's session, observed Maor Dokhanian, threat researcher at Wiz, in the post. "Combined with full environment inheritance, this enabled immediate code execution," he wrote.









