// AWSHIGH
Two high-severity vulnerabilities (CVE-2026-12957, CVE-2026-12958) in Amazon Q Developer Extension for VS Code and other IDEs allowed remote code execution and AWS credential theft when developers opened malicious repositories containing an `.amazonq/mcp.json` file. The extension auto-loaded MCP server configurations without user consent, enabling attackers to exfiltrate AWS credentials, API keys, and SSH agent sockets. Patches available in Language Servers for AWS 1.69.0 and corresponding IDE extensions.
- Amazon Q Vulnerability Let Attackers Execute Code and Access Sen(opens in a new tab)
- Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repos(opens in a new tab)
- Amazon Q Developer Vulnerability Allows Code Execution via Malic(opens in a new tab)
- Amazon Q Vulnerability Highlights the Growing Risk of AI Assiste(opens in a new tab)
- Amazon Q Vulnerability Let Attackers Execute Code and Access Sen(opens in a new tab)
- Amazon Q Flaw Enabled Cloud Credential Theft Through Malicious R(opens in a new tab)
// Get alerts for AWS