# Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs _Friday, June 26, 2026 at 3:50 PM EDT · Cybersecurity · Latest · Tier 2 — Notable_ ![Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs — Primary](https://thehackernews.com/images/-AaptImXE5Y4/WzjvqBS8HtI/AAAAAAAAxSs/BcCIwpWJszILkuEbDfKZhxQJwOAD7qV6ACLcBGAs/s728-e365/the-hacker-news.jpg) Amazon has fixed a high-severity vulnerability in Amazon Q Developer that allowed malicious repositories to execute code and exfiltrate cloud credentials through Model Context Protocol configurations. The Hacker News reported June 26 that the flaw, tracked as CVE-2026-12957 with a CVSS score of 8.5, was found by Wiz Research. The bug was in how the AI coding assistant handled MCP servers defined in a .amazonq/mcp.json file placed in an opened workspace. Amazon Q read the file and launched the servers, which inherited the developer's full environment, including AWS keys, cloud CLI tokens, API secrets and SSH agent sockets. A single config file in a cloned repo was enough to reach this state once the workspace was trusted. In a proof of concept, Wiz showed the file could run aws sts get-caller-identity and send the output to an attacker server. Amazon said users must trust the workspace when prompted. Wiz said there was no separate consent step for the MCP servers before the fix. The patch now flags untrusted MCP servers and lets developers reject them. The flaw was in Language Servers for AWS, used by Amazon Q in VS Code, JetBrains, Eclipse and Visual Studio. It is fixed in Language Servers for AWS version 1.69.0. Minimum plugin versions are VS Code 2.20 or later, JetBrains 4.3 or later, Eclipse 2.7.4 or later and Visual Studio 1.94.0.0 or later. No public exploitation is known. Wiz reported the issue April 20 and saw a fix May 12. ## Sources - [The Hacker News](https://thehackernews.com/) --- Canonical: https://techandbusiness.org/newswire/WMYow9Ig064KslncDNOpl2 Retrieved: 2026-06-26T23:50:51.002Z Publisher: Tech & Business (techandbusiness.org)