{"id":282526,"date":"2026-06-26T09:53:00","date_gmt":"2026-06-26T13:53:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/26\/amazon-q-developer-flaw-could-let-malicious-repos-run-code-via-mcp-configs\/"},"modified":"2026-06-26T11:05:57","modified_gmt":"2026-06-26T15:05:57","slug":"amazon-q-developer-flaw-could-let-malicious-repos-run-code-via-mcp-configs","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/26\/amazon-q-developer-flaw-could-let-malicious-repos-run-code-via-mcp-configs\/","title":{"rendered":"Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs"},"content":{"rendered":"

Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/06\/amazon-q-developer-flaw-could-let.html<\/a><\/p>\n

Publish Date: 2026-06-26 09:53:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Swati Khandelwal<\/span>\ue802Jun 26, 2026<\/span><\/span>AI Security \/ Vulnerability<\/span><\/p>\n

A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer’s cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it.<\/p>\n

Tracked as\u00a0CVE-2026-12957\u00a0(CVSS 8.5), the bug sat in how Amazon’s AI coding assistant handled Model Context Protocol (MCP) servers.<\/p>\n

Wiz Research, which found and reported it, showed that a single config file dropped in a repo was enough to go from git clone to cloud compromise.<\/p>\n

How the attack worked<\/h2>\n

Amazon Q read an MCP configuration file,\u00a0.amazonq\/mcp.json, from the open workspace and launched the servers it defined. MCP servers are local processes that an AI assistant can spawn to reach databases, APIs, or build tools, so starting one means running commands on the machine.<\/p>\n

Those processes inherited the developer’s full environment. That usually means AWS keys, cloud CLI tokens, API secrets, and SSH agent sockets.<\/p>\n

Put the two together, and a file sitting in a cloned repo could run arbitrary code with the developer’s live cloud session attached. No password, no second sign-in.<\/p>\n

In its proof of concept, Wiz had the file run\u00a0aws sts get-caller-identity\u00a0and ship the output to an attacker server, capturing the active AWS session. What comes next depends on that developer’s cloud permissions: backdoor an IAM user for persistence, reach internal services, or pivot toward production.<\/p>\n

AWS and Wiz frame the consent step differently. Amazon’s\u00a0advisory\u00a0says the user has to trust the workspace when prompted, and CVSS rates the user interaction as passive.<\/p>\n

Wiz reported there was no separate consent step for the MCP servers themselves before the fix. The patch closes that gap: Amazon Q now flags an untrusted MCP server and lets the developer reject the command before it runs.<\/p>\n

\"\"<\/p>\n

The flaw lives in\u00a0Language Servers for AWS, the runtime that powers Amazon Q…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs https:\/\/thehackernews.com\/2026\/06\/amazon-q-developer-flaw-could-let.html Publish…<\/p>\n","protected":false},"author":1,"featured_media":282527,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEig3gygt20RdznayWN2yru6wSgNt8CSdr16F8I-naxtPn837cr6v0uV0bXdhz36P1XYrpnjmzDXTAtH0wa43Me8rqD2hvET-xQP0ndoX-ddXsypZCjSSNJUqmfl69g96R6yMiUqgXE_NGAL8bl2z6lYutrgKiY74tNIafz_xRsNsJQSB9s_9lSHiybX2kQ\/s1600\/aws.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,27],"class_list":["post-282526","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/282526"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=282526"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/282526\/revisions"}],"predecessor-version":[{"id":282528,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/282526\/revisions\/282528"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/282527"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=282526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=282526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=282526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}