Wiz Research has disclosed a high-severity vulnerability in Amazon Q Developer, Amazon’s AI coding assistant, that allowed arbitrary code execution and cloud credential theft when a developer simply opened a malicious project folder.
The flaw, tracked as CVE-2026-12957, carried a severity score of 8.5. The trigger was ordinary developer behavior: clone a repository, open it, and let the assistant activate.
At the root was a trust problem. Amazon Q automatically read and ran configuration for external tool connections (known as MCP servers) straight from files inside the open workspace, with no prompt and no consent check.
Because those spawned processes inherited the developer’s full environment, anything the attacker placed in the repository could run with the developer’s live cloud session attached.
That environment is the prize. For a developer working against the cloud, it typically holds AWS access keys, session tokens, cloud CLI credentials, and other secrets.
Wiz showed that a single planted configuration file could turn opening a folder into a path from local code execution to full cloud compromise, with no password or second sign-in required.
An Expanding Attack Surface
The danger is the delivery methods, which look routine. Wiz pointed to malicious pull requests, typosquatted packages, and even fake coding-test repositories sent during fake job interviews, a tactic security teams have tied to North Korean operators.
For Rohit Valia, CEO of cybersecurity firm Tumeryk, the case expands what can be considered an attack surface.
“The Amazon Q vulnerability shows us why [AI-based] coding assistants are now a legitimate attack surface,” he told Expert Insights, arguing that any AI tool with access to a developer’s environment should be treated as a potential route for credential theft.
His recommendation is to gate AI tool actions behind guardrails and real-time risk scoring, allowing only approved operations, rather than trusting them by default.
Wiz framed the bug as part of a wider pattern, noting similar auto-execution flaws found across other AI coding tools, where project files quietly become executable behavior and the trust checks around them fail.
Amazon has fixed the issue. In a security bulletin, AWS said the language server updates automatically for most users, so reloading the IDE pulls the patched build. The bulletin directs customers to version 1.69.0, which also resolves a second, related flaw, CVE-2026-12958.
