www.wiz.io
Amazon Q Developer Vulnerability Enables Cloud Credential Theft
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A high-severity vulnerability (CVE-2026-12957) in Amazon Q Developer for Visual Studio Code allowed attackers to execute arbitrary code and steal AWS credentials by automatically loading malicious MCP server configurations from cloned repositories. Discovered by Wiz Research, the flaw permits silent execution of commands without user consent, inheriting the developer's environment variables. Amazon patched the issue on May 12, 2026, but the public disclosure occurred on June 26, 2026. The vulnerability affects multiple IDEs, including Visual Studio Code, JetBrains, and Eclipse. Similar vulnerabilities have been reported in other AI coding tools, indicating a systemic risk in the development ecosystem. Users are advised to update to version 1.69.0 for comprehensive protection.
Key Points: • CVE-2026-12957 allows silent execution of malicious commands via Amazon Q Developer. • The vulnerability affects multiple IDEs and can lead to AWS credential theft. • Amazon released a patch on May 12, 2026, with public disclosure on June 26, 2026.