A high-severity vulnerability in Amazon’s AI coding assistant for Visual Studio Code recently exposed developers to significant risk. The flaw meant that simply opening a compromised Git repository could allow an attacker to execute arbitrary code on a developer’s local machine and potentially steal cloud environment credentials.
Tracked as CVE-2026-12957 with a CVSS 4.0 score of 8.5, the vulnerability originated from how Amazon Q processed Model Context Protocol (MCP) server configurations. Security researchers at Wiz discovered that the extension would automatically load and execute commands found within a repository’s .amazonq/mcp.json file as soon as a developer opened the project and activated the AI tool.
“The security model assumes the user explicitly configures these servers. After all, you’re granting an AI assistant permission to run arbitrary commands on your machine. This should require informed consent,” the researchers noted. “The vulnerability arose when this assumption was violated: Amazon Q automatically loaded MCP configurations from .amazonq/mcp.json within the workspace – no prompt, no consent, no workspace trust check.”
The MCP allows AI assistants to launch local processes to perform specific tasks. Because these processes inherit the developer’s existing environment, they gain access to sensitive data, including AWS credentials, API keys, authentication tokens, SSH agent sockets, and other session-loaded secrets.
Wiz demonstrated the danger by creating a repository with a malicious MCP configuration. Upon opening the project and activating Amazon Q, the extension executed a command against AWS using the developer’s active credentials without any further user interaction.
Amazon has since resolved the issue in version 1.65.0 of its language server, which powers the IDE integrations for Amazon Q. Most users should receive the patch automatically via standard updates.
“We would like to thank Wiz for collaborating with us on this issue. We have remediated this issue in language server version 1.65.0,” Amazon stated in an advisory.
Wiz suggests that this vulnerability reflects a broader industry trend rather than an isolated incident. As more AI coding assistants adopt MCP to integrate models with local tools, the potential for similar workspace configuration flaws increases. Researchers warn that attackers are increasingly targeting hidden configuration files—elements that developers often trust implicitly—to embed malicious code.