Amazon Q vulnerability could let malicious Git repos run code on developers' machines
Amazon has patched a security flaw in its Q developer assistant for Visual Studio Code that could allow a specially crafted Git repository to trigger commands on a developer’s system and expose cloud...
Amazon has patched a security flaw in its Q developer assistant for Visual Studio Code that could allow a specially crafted Git repository to trigger commands on a developer’s system and expose cloud credentials.
The issue, tracked as CVE-2026-12957 and rated 8.5 on the CVSS 4.0 scale, was identified by researchers at Wiz. They found that Amazon Q would automatically read an MCP configuration file stored at .amazonq/mcp.json inside a project workspace. When a developer opened the repository and enabled Amazon Q, the extension could execute the commands defined in that file without asking for approval.
That behavior matters because Model Context Protocol, or MCP, is designed to let AI tools interact with local programs and services. In this case, any spawned process inherited the developer’s active environment, which may include AWS access keys, API tokens, SSH agent sockets, and other sensitive material already loaded into the session.
Why the issue was serious
According to Wiz, the flaw removed an important user-consent step. A malicious repository could therefore act as a delivery vehicle for hidden commands, with little more required than getting a developer to open the folder and activate the assistant.
- Automatic loading of workspace MCP settings bypassed expected trust checks.
- Commands ran with access to the developer’s local environment.
- Exposed secrets could potentially be used to reach cloud accounts and other internal systems.
To demonstrate the problem, Wiz built a proof-of-concept repository that used a malicious MCP setup. When opened with Amazon Q enabled, the extension executed a command using the developer’s existing AWS credentials.
Amazon says the issue has been addressed in language server version 1.65.0, which powers Amazon Q’s IDE integrations. Systems with automatic updates enabled should receive the fix automatically.
Wiz said the finding highlights a broader risk across AI coding tools that support workspace-level integrations. As more assistants adopt MCP and similar mechanisms, attackers may increasingly target hidden project files that developers do not typically inspect closely.
