A vulnerability in Amazon’s AI-powered coding assistant, Amazon Q Developer, allowed attackers to steal cloud credentials by tricking a developer into opening a poisoned code repository. The flaw, tracked as CVE-2026-12957, carries a CVSS score of 8.5 out of 10. Wiz Research discovered that the Amazon Q Developer extension for IDEs would automatically load and execute Model Context Protocol (MCP) server configurations without asking permission, running hidden commands with full access to environment variables including AWS credentials. Wiz reported the vulnerability to Amazon on April 20, 2026. Amazon released an initial patch on May 12, 2026, in Language Servers for AWS version 1.65.0, with public disclosure on June 26, 2026. Amazon recommended upgrading to version 1.69.0 for more comprehensive protection, which also addresses a related vulnerability, CVE-2026-12958, involving symlink validation issues. No instances of public exploitation have been recorded. Similar flaws were reported for other AI coding tools including Claude Code, Cursor, and Windsurf.