CVE-2026-12957 — Amazon Q Developer auto-loaded workspace MCP configs, enabling repo-planted code execution and AWS credential theft (Wiz)

Wiz Research disclosed (2026-06-26) that the Amazon Q Developer VS Code extension automatically loaded and executed Model Context Protocol (MCP) server configurations from a workspace's .amazonq/mcp.json with no user consent, workspace-trust check, or warning (Wiz Research, 2026-06-26). Spawned MCP processes inherited the developer's full environment — AWS session tokens, IAM credentials, SSH agent sockets — so cloning a malicious repository and opening it with Amazon Q active silently executed an attacker command; a minimal PoC ran aws sts get-caller-identity and POSTed the result to an external host with zero clicks (The Register, 2026-06-26). Wiz places it in a documented class of at least six MCP-auto-execution flaws across AI coding assistants (Cursor, Windsurf, Claude Code) — a workspace-trust-enforcement failure pattern, not a one-off. Affected: Language Server for AWS < 1.65.0; fixed in 1.65.0 (discovered 2026-04-17, patched 2026-05-12, public 2026-06-26). Why it matters to us: Any CH/EU developer team using Amazon Q with AWS should confirm the language server is ≥ 1.65.0, audit repositories for .amazonq/mcp.json, and enforce VS Code workspace-trust policies so AI assistants do not auto-load configs from untrusted clones.