Overview
- Researchers at Wiz found that Amazon Q automatically loaded MCP server configs from a workspace and launched the defined local processes without explicit consent, allowing a cloned repo to trigger arbitrary commands.
- Spawned MCP processes inherited the developer's full environment including AWS keys, CLI tokens, API secrets, and SSH agent sockets, which a proof of concept used to run aws sts get-caller-identity and exfiltrate the active session.
- AWS deployed a fix to the Language Server for AWS on May 12 that adds consent checks and the issue was publicly disclosed on Friday, June 26 after CVE-2026-12957 was assigned on June 23.
- Users should update affected IDE plugins or the language server (fixed in 1.65.0 and later builds such as 1.69.0), reload their IDE to trigger updates, and treat repository-carried configs as untrusted until consent prompts and environment scoping are verified.
- Security researchers warn this is part of a wider pattern across AI coding assistants where project-level MCP or config files become an execution vector, and they urge stronger trust boundaries, minimal environment inheritance for child processes, and integration with IDE workspace-trust features.