High-Severity Amazon Q Developer Vulnerability Exposed Cloud Credentials to Attackers

A high-severity vulnerability (CVE-2026-12957, CVSS 8.5) in Amazon Q Developer allowed malicious repositories to execute arbitrary commands and steal developers' cloud credentials. The flaw stemmed from how the AI coding assistant processed Model Context Protocol (MCP) servers, enabling exploitation when a developer opened a compromised repository and trusted the workspace. Amazon has since patched the issue. The discovery was credited to security firm Wiz. No specific timeline or affected versions were disclosed beyond the patch status.