Amazon Q Bug Lets Hackers Run Code via MCP Configs

Emily Davis · 2026-06-26

A serious security flaw in Amazon Q Developer allowed a malicious repository to execute commands and steal cloud credentials. The attack chain was simple: a developer opens a repo, trusts the workspace, and Amazon Q's AI assistant does the rest. Amazon has since patched the vulnerability. Tracked as CVE-2026-12957 with a CVSS score of 8.5, the bug was rooted in how Amazon's AI coding assistant handled Model Context Protocol (MCP) servers. MCP is a protocol that lets AI tools like Amazon Q interact with external services, but the implementation had a critical oversight. ### How the Attack Worked The flaw relied on a developer trusting a malicious repository. Once the workspace was set to trusted mode, Amazon Q would automatically process MCP configurations from the repo. These configs could point to attacker-controlled servers, allowing the AI assistant to execute arbitrary commands on the developer's machine. - The attacker creates a repo with a malicious MCP config - The developer opens the repo and clicks "trust workspace" - Amazon Q loads the config and connects to the attacker's server - The server sends commands that run on the developer's machine - Cloud credentials stored in environment variables are exfiltrated This wasn't a theoretical risk. Researchers from Wiz demonstrated a working exploit that could steal AWS credentials from a developer's environment. The whole process took seconds and required no additional interaction from the victim. ### Why This Matters for Developers If you use Amazon Q Developer, this bug put your cloud credentials at risk. The attack didn't require any special permissions or complex social engineering. Just opening a repository could trigger the exploit. > "The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest." - Wiz security researchers This highlights a broader issue with AI coding assistants. They need access to your code and environment to be useful, but that access can be weaponized. The trust model in these tools needs to be more granular, not just an all-or-nothing switch. ### Amazon's Response Amazon released a patch that addresses the vulnerability. The update changes how Amazon Q handles MCP configurations from untrusted sources. Now, the assistant won't automatically process MCP servers from repos that haven't been explicitly verified. If you're using Amazon Q Developer, make sure you're running the latest version. The patch is included in the regular update cycle, so if you have automatic updates enabled, you should already be protected. ### What You Can Do to Stay Safe Even with the patch, there are steps you can take to reduce your risk: - Always review MCP configurations before trusting a workspace - Use separate development environments for different projects - Limit the permissions of your cloud credentials in development - Consider using an antidetect browser to isolate your work sessions Antidetect browsers can create separate browser profiles with different fingerprints, making it harder for attackers to track your activities or steal session data. They're especially useful if you manage multiple cloud accounts or work with sensitive code. ### The Bigger Picture This vulnerability isn't isolated. As AI tools integrate deeper into development workflows, we'll see more attacks targeting these integrations. The convenience of AI assistants comes with a trade-off in security. For developers, the lesson is clear: don't blindly trust any tool that has access to your code or credentials. Always verify what a repository is asking you to run, even if it's through an AI assistant you trust. Amazon's quick response is commendable, but the underlying issue of MCP security will likely resurface. Developers should stay informed about updates and consider additional security measures like antidetect browsers to protect their digital identities.