"The security model assumes the user explicitly configures these servers. After all, you're granting an AI assistant permission to run arbitrary commands on your machine. This should require informed consent," Wiz wrote.
CVE-2026-12957: automatic loading of .amazonq/mcp.json
A high-severity vulnerability in Amazon's AI coding assistant for Visual Studio Code, tracked as CVE-2026-12957 and scored 8.5 by CVSS (4.0 scoring), arose from how Amazon Q handled Model Context Protocol (MCP) server configurations. Wiz discovered that the extension automatically loaded a repository's .amazonq/mcp.json file and executed the commands it contained when a developer opened the project and activated Amazon Q. According to Wiz, that automatic behavior occurred "no prompt, no consent, no workspace trust check."
How the exploit worked: MCP processes inherited developer environment
MCP enables AI assistants to launch local processes to carry out tasks. In Amazon Q's implementation, those launched processes inherited the developer's environment, which can include AWS credentials, API keys, authentication tokens, SSH agent sockets, and other secrets already loaded into the session. Wiz said this combination allowed a single malicious config file to execute arbitrary commands with full access to the developer's credentials without any user interaction beyond opening the folder and activating Amazon Q.
To demonstrate the flaw, Wiz built a repository containing a malicious MCP configuration. Opening the project and activating Amazon Q caused the extension to execute a command against AWS using the developer's existing credentials, the researchers reported.
Amazon's remediation: language server version 1.65.0
Amazon addressed the vulnerability by updating the language server that powers Amazon Q's IDE integrations. The company said it remediated the issue in language server version 1.65.0. According to the advisory, existing installations should receive the patched component automatically unless automatic updates have been blocked.
Amazon thanked Wiz for collaborating on the issue in the advisory, though the company did not respond to questions from The Register about the matter.
Wiz's warning: MCP adoption and hidden workspace files as an attack surface
Wiz argued the bug reflects a broader, industry-level risk rather than an isolated Amazon failure. The researchers noted that more AI coding assistants are adopting MCP to connect models to local tools and services, and that similar workspace-configuration flaws have recently surfaced in other AI coding tools. The implication, according to Wiz, is that attackers have found a new place to lurk: the hidden files that developers rarely think twice about trusting.
What this means for developers, security teams, and enterprises
- Developers: The specific attack required only opening a project and activating Amazon Q; MCP configurations in .amazonq/mcp.json could trigger local commands that inherit environment secrets like AWS credentials, API keys, and SSH agent sockets.
- Security teams: The vulnerability demonstrates that MCP-launched processes can access session-loaded secrets, creating a vector for credential theft if workspace configuration files are malicious or untrusted.
- Enterprises and platform operators: Amazon's fix was delivered in language server 1.65.0 and "should" be received automatically unless automatic updates are blocked — a detail enterprises will need to reconcile with their update policies.
This incident ties a relatively compact piece of code — a workspace configuration file — to some of the most sensitive assets a developer can carry in a session. Amazon's patch addresses the specific defect in Amazon Q's language server, and Wiz's disclosure underscores that MCP-style integrations move powerful capabilities to the local environment. The record here leaves a pointed question for tool makers and organizations adopting these assistants: how will consent and workspace trust be enforced when a single hidden file can summon processes that run with the user's broad access?
