CVE-2026-12957

Published Jun 23, 2026

Last updated 16 days ago

CVSS high 8.5
Supply chain

Overview

Description
Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to Language Servers for AWS version 1.65.0 or higher.
Source
ff89ba41-3aa1-4d27-914a-91399e9639e5
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.5
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

ff89ba41-3aa1-4d27-914a-91399e9639e5
CWE-732

Social media

Hype score
Not currently trending
  1. After analyzing 55% of vulnerabilities from past week, CVE-2026-12957 has 9 articles published from different internet sources, no other cve has these many articles. More information here: https://t.co/SyyDujjO8C #vulnerability #CyberSecurity #ThreatIntel #CVE #SecurityAlert

    @stooee_

    3 Jul 2026

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Amazon Q Developer: CVE-2026-12957 macht MCP-Konfigurationen riskant Kurz gesagt: CVE-2026-12957 rückt Amazon Q Developer… https://t.co/L4bAYW9eaa #TechNews #Digitalisierung

    @TechZeitGeist

    3 Jul 2026

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. AIコーディングアシスタント「Amazon-Q-Developer」の脆弱性CVE-2026-12957の修正が公開されています。プロジェクトフォルダ内の[.]amazonq/mcp[.]json(AIアシスタントに外部ツール連携を指示するMCP設定)が開いた瞬間に

    @MalwareBibleJP

    29 Jun 2026

    1431 Impressions

    3 Retweets

    12 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  4. CISO Daily Briefing: Amazon Q Developer CVE-2026-12957 (CVSS 8.5) — MCP auto-execution, no user interaction required, Miasma worm across 73 GitHub repos; Linux LPEs CVE-2026-46331 + CVE-2026-43503 bypass file integrity monitoring entirely in memory. Fable 5/Mythos 5 suspended f

    @cloudsa

    28 Jun 2026

    428 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  5. Vulnerabilità Amazon Q Developer e PTC Windchill: patch urgenti CVE-2026-12957 e CVE-2026-12569 Sicurezza Informatica, AWS https://t.co/KPEqjEPV5t https://t.co/D7Ixam3qN4

    @matricedigitale

    27 Jun 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 1/3 A high-severity flaw in Amazon Q Developer let a malicious repo run commands and steal a developer's cloud credentials just by being opened. CVE-2026-12957 (CVSS 8.5), found by Wiz Research, is now patched. #CVE #AmazonQ #AWS #SupplyChainAttack #cybersecurity

    @CyberTLDR

    27 Jun 2026

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. Three high-severity CVEs hit enterprise and dev stacks today: CVE-2026-12957 lets a malicious repo silently execute code via Amazon Q Developer's MCP config, exfiltrating AWS credentials; CVE-2026-43503 (DirtyClone, CVSS 8.8) gives Linux local users root via cloned network

    @XavierRiveraX

    26 Jun 2026

    76 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2026-12957 and CVE-2026-12958 - Issues in Language Servers for AWS and Amazon Q Developer Plugins https://t.co/pH4Kfmdd3m #patchmanagement

    @eyalestrin

    25 Jun 2026

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. AWS patched CVE-2026-12957 and CVE-2026-12958 in Language Servers for AWS and Amazon Q Developer IDE plugins. https://t.co/XM2TRtKRKW

    @f1tym1

    23 Jun 2026

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes