BREAKING
AWS Patches Amazon Q Developer Flaw
0
CVSS score
0
CVEs patched
How the attack works
1
Open malicious repo
↓
2
Approve trust prompt
↓
3
MCP config runs
↓
4
AWS keys exposed
Two flaws, no workaround
CVE-2026-12957
Trust boundary
●
Before v1.65.0
●
Runs embedded commands
●
No MCP approval needed
CVE-2026-12958
Symlink
●
Before v1.69.0
●
Missing symlink check
●
Escapes workspace
Industry-wide MCP risk
Update to Language Servers v1.69.0+
AI NEWS BLITZ
AWS has disclosed and patched a flaw in Amazon Q Developer that could leak AWS credentials.