High-Severity Flaw in Amazon Q Developer Allows Credential Theft via MCP Configs

A high-severity vulnerability in Amazon Q Developer, tracked as CVE-2026-12957, allows a malicious repository to execute arbitrary commands and steal a developer's cloud credentials. The flaw, disclosed by security researchers at Wiz, exploits how the AI coding assistant handles Model Context Protocol (MCP) server configurations.

The bug carries a CVSS score of 8.5, reflecting its potential for significant damage. The attack chain is relatively short: a developer opens a malicious repository, trusts the workspace, and Amazon Q processes MCP configurations that trigger unauthorized actions. Wiz reported the issue responsibly, and Amazon has deployed a patch.

The vulnerability hinges on the assistant's trust model for MCP servers. When a developer opens a repository and approves the workspace, Amazon Q automatically processes embedded MCP server configurations. Malicious repositories could craft these configurations to execute code in the developer's environment, exfiltrating sensitive cloud credentials stored locally.

Amazon has released a security update addressing CVE-2026-12957. Users are urged to update Amazon Q Developer to the latest version immediately. As a workaround, developers should carefully review workspace trust prompts and avoid opening repositories from untrusted sources until patching is complete.

Wiz researchers identified the flaw during routine security auditing of AI coding tools. The disclosure highlights the growing attack surface introduced by AI assistants that integrate deeply into development environments. Organizations using Amazon Q Developer should prioritize patching and consider additional monitoring for anomalous credential access.