One CVE-2026-12957, CVSS 8.5, and a short attack path: a developer opens a malicious repo, trusts the workspace, and Amazon Q Developer executes arbitrary commands on their behalf. Wiz found the flaw in how Amazon's AI coding assistant ingests Model Context Protocol (MCP) server configurations.
MCP Configs as an Entry Point
Model Context Protocol lets AI assistants reach into local tools and data. Amazon Q uses MCP servers to extend its capabilities. The bug let a carefully crafted repo supply a malicious MCP configuration that Q would process without sufficient validation. The result: the repo could run commands in the developer's environment and exfiltrate cloud credentials stored locally.
Amazon patched the flaw after Wiz disclosed it. No in-the-wild exploitation has been reported, but the attack surface is wide. Any developer using Amazon Q with workspace trust enabled could have been a target. The CVSS 8.5 rating reflects the ease of exploitation and the high impact on confidentiality and integrity.
Why This Matters for AI-Assisted Development
This is not a theoretical supply-chain risk. A developer clones a seemingly legitimate repo, VSCode or JetBrains asks "trust the workspace?", they click yes, and the MCP config inside repo/.amazonq/mcp.json kicks off. Amazon Q then pulls the malicious server, calls it, and the attacker's code runs with the same permissions as the developer's AWS CLI.
Wiz's disclosure includes technical details on the exact API endpoints and trust boundaries that failed. The fix restricts MCP server origins and enforces stricter validation of configuration files. Developers should update to the latest Amazon Q extension immediately.
One takeaway for any team using AI coding assistants: treat repo-level configuration files as untrusted until proven otherwise. The next MCP bug might not get patched so quickly.
Source: Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs
Domain: thehackernews.com
Comments load interactively on the live page.