{"data":{"id":"71ab12f9-c328-4843-8131-e9120a054eb0","title":"Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs","summary":"Amazon Q Developer had a high-severity flaw (CVE-2026-12957, CVSS 8.5) where a malicious repository could run commands and steal a developer's cloud credentials through a configuration file. The bug occurred because Amazon Q automatically launched MCP servers (processes that connect AI assistants to databases and tools) from an untrusted config file without asking the developer for permission first, giving those processes full access to the developer's AWS keys and other sensitive credentials.","solution":"Update Language Servers for AWS to version 1.69.0 or later. The patched plugin minimum versions are: VS Code 2.20 or later, JetBrains 4.3 or later, Eclipse 2.7.4 or later, and Visual Studio toolkit 1.94.0.0 or later. The language server auto-updates unless the network blocks it, and reloading the IDE pulls the latest build. The fix makes Amazon Q flag untrusted MCP servers and require the developer to approve them before they run.","labels":["security"],"sourceUrl":"https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html","publishedAt":"2026-06-26T13:53:00.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["supply_chain"],"issueType":"news","affectedPackages":null,"affectedVendors":["Amazon"],"affectedVendorsRaw":["Amazon Q Developer","Amazon Q","AWS","Claude Code","Cursor","Windsurf"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-06-26T13:53:00.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}