- Description
- Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to Language Servers for AWS version 1.65.0 or higher.
- Source
- ff89ba41-3aa1-4d27-914a-91399e9639e5
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 8.5
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Secondary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
- ff89ba41-3aa1-4d27-914a-91399e9639e5
- CWE-732
- Hype score
- Not currently trending
After analyzing 55% of vulnerabilities from past week, CVE-2026-12957 has 9 articles published from different internet sources, no other cve has these many articles. More information here: https://t.co/SyyDujjO8C #vulnerability #CyberSecurity #ThreatIntel #CVE #SecurityAlert
@stooee_
3 Jul 2026
51 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Amazon Q Developer: CVE-2026-12957 macht MCP-Konfigurationen riskant Kurz gesagt: CVE-2026-12957 rückt Amazon Q Developer… https://t.co/L4bAYW9eaa #TechNews #Digitalisierung
@TechZeitGeist
3 Jul 2026
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
AIコーディングアシスタント「Amazon-Q-Developer」の脆弱性CVE-2026-12957の修正が公開されています。プロジェクトフォルダ内の[.]amazonq/mcp[.]json(AIアシスタントに外部ツール連携を指示するMCP設定)が開いた瞬間に
@MalwareBibleJP
29 Jun 2026
1431 Impressions
3 Retweets
12 Likes
2 Bookmarks
0 Replies
0 Quotes
CISO Daily Briefing: Amazon Q Developer CVE-2026-12957 (CVSS 8.5) — MCP auto-execution, no user interaction required, Miasma worm across 73 GitHub repos; Linux LPEs CVE-2026-46331 + CVE-2026-43503 bypass file integrity monitoring entirely in memory. Fable 5/Mythos 5 suspended f
@cloudsa
28 Jun 2026
428 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Vulnerabilità Amazon Q Developer e PTC Windchill: patch urgenti CVE-2026-12957 e CVE-2026-12569 Sicurezza Informatica, AWS https://t.co/KPEqjEPV5t https://t.co/D7Ixam3qN4
@matricedigitale
27 Jun 2026
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
1/3 A high-severity flaw in Amazon Q Developer let a malicious repo run commands and steal a developer's cloud credentials just by being opened. CVE-2026-12957 (CVSS 8.5), found by Wiz Research, is now patched. #CVE #AmazonQ #AWS #SupplyChainAttack #cybersecurity
@CyberTLDR
27 Jun 2026
46 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Three high-severity CVEs hit enterprise and dev stacks today: CVE-2026-12957 lets a malicious repo silently execute code via Amazon Q Developer's MCP config, exfiltrating AWS credentials; CVE-2026-43503 (DirtyClone, CVSS 8.8) gives Linux local users root via cloned network
@XavierRiveraX
26 Jun 2026
76 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-12957 and CVE-2026-12958 - Issues in Language Servers for AWS and Amazon Q Developer Plugins https://t.co/pH4Kfmdd3m #patchmanagement
@eyalestrin
25 Jun 2026
54 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
AWS patched CVE-2026-12957 and CVE-2026-12958 in Language Servers for AWS and Amazon Q Developer IDE plugins. https://t.co/XM2TRtKRKW
@f1tym1
23 Jun 2026
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes