A flaw in the Amazon Q Developer extension causes it to automatically load and execute MCP server configurations without user consent, enabling attackers to exfiltrate environment variables, including AWS credentials.

The attack vector centers on placing a single .amazonq/mcp.json file in a repository; when a developer opens that repository in an IDE with the vulnerable extension, MCP configurations run automatically in the user’s environment.

Wiz Research alerted Amazon on April 20, 2026, the patch was released in mid-May (Language Servers for AWS 1.65.0), and public disclosure followed on June 26, 2026.

At disclosure time there were no known public exploits; organizations should audit developer activity and consider rotating AWS credentials as a precaution.

Remediation guidance recommends upgrading to Amazon Q Developer extension version 1.65.0 or later, with a stronger fix in 1.69.0 that also addresses CVE-2026-12958 tied to MCP symlink validation.

CVE-2026-12957 describes a vulnerability in Amazon Q Developer that enables cloud credential theft through poisoned code repositories, with a CVSS score of 8.5.

Exfiltration happens silently, without prompts or indicators, potentially exposing AWS keys, session tokens, and region settings.

The incident echoes similar MCP-related risks in other AI coding tools (Claude Code, Cursor, Windsurf), underscoring a broader risk when tools automatically load repository configurations.