CVE-2026-12957: Amazon Q Developer

What is CVE-2026-12957?

Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to Language Servers for AWS version 1.65.0 or higher.

CVSS7.8 NVD 3.1

SeverityHIGH

ExploitationNo exploitation reported

EPSS<1% · P2

Triage statusNo Known Exploit

ActionPatch this week

CVSS vectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWECWE-732

NVD published2026-06-23

NVD last modified2026-06-23

Affected product

Amazon Q Developer

Remediation Steps

Update Amazon Q Developer to the patched version
Audit workspace trust settings and review recent repository additions
Review cloud credential exposure logs for unauthorized access
Restrict MCP server configurations to trusted, vetted repositories only

References

Coverage on defend.network

Vulnerability Priority Report – Week 4 of June 2026 (June 22 – 28)
Signal backup keys targeted; Linux kernel RCE; AWS Q credential theft (2026-06-27)

🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.

What is CVE-2026-12957?

Affected product

Remediation Steps

References

Coverage on defend.network

Get Critical CVE Alerts