Overview
- Wiz discovered and reported the flaw in April 2026 and publicly disclosed technical details and a proof of concept on June 26, 2026 that showed aws sts get-caller-identity output being exfiltrated from a cloned repo.
- AWS fixed the root issue in the AWS Language Server with version 1.65.0 on May 12, 2026 and recommends newer builds such as 1.69.0 while patched Amazon Q plugins for VS Code, JetBrains, Eclipse, and Visual Studio are available.
- The vulnerability arose because Amazon Q auto-loaded .amazonq/mcp.json workspace configs without a separate consent step and spawned MCP servers that inherited the full user environment, including AWS keys, session tokens, CLI credentials, and SSH agent sockets.
- There are no confirmed public exploitations at disclosure time and the language server auto-updates for most users, but researchers warn developers could be exposed by malicious pull requests, typosquatted packages, or social-engineering tests that ask targets to open repos.
- Security teams say this is a broader ecosystem design problem for AI coding tools that use MCP, and they urge fixes such as explicit consent prompts, integration with IDE workspace-trust features, sanitizing workspace configs, and limiting environment inheritance to reduce risk.