Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs
Summary
A high-severity flaw, CVE-2026-12957 (CVSS 8.5), in Amazon Q Developer allowed a malicious repository to execute commands and steal a developer's cloud credentials. The vulnerability was found in how the AI coding assistant handled Model Context Protocol (MCP) servers. Amazon has since patched the flaw.
IFF Assessment
The flaw, though severe, has been identified and patched by Amazon, reducing the attack surface for potential exploitation.
Severity
The CVSS score of 8.5 (high) is appropriate as the vulnerability allowed unauthenticated remote code execution and credential theft simply by opening a malicious repository and trusting the workspace. This indicates high impact and exploitability.
Defender Context
Defenders should be aware of the supply chain risks associated with integrating AI coding assistants and other third-party tools into their development environments. This incident highlights the importance of vetting all code sources, even when using AI-powered tools, and ensuring proper access controls and credential management are in place. Organizations should keep such tools patched and configured securely to prevent similar vulnerabilities from being exploited.