Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs

Amazon has fixed a high-severity vulnerability in Amazon Q Developer that allowed malicious repositories to execute code and exfiltrate cloud credentials through Model Context Protocol configurations. The Hacker News reported June 26 that the flaw, tracked as CVE-2026-12957 with a CVSS score of 8.5, was found A single config file in a cloned repo was enough to reach this state once the workspace was trusted. In a proof of concept, Wiz showed the file could run aws sts get-caller-identity and send the output to an attacker server. Amazon said users must trust the workspace when prompted. Wiz said there was no separate consent step for the MCP servers before the fix. The patch now flags untrusted MCP servers and lets developers reject them. The flaw was in Language Servers for AWS, used No public exploitation is known. Wiz reported the issue April 20 and saw a fix May 12.