Agentjacking: CVE-2026-12957 Exploits Amazon Q via Malicious MCP Configurations
Wiz Research has identified a high-severity vulnerability (CVE-2026-12957, CVSS 8.5) in Amazon Q Developer that allows for remote code execution (RCE) via "Agentjacking." By leveraging the Model Context Protocol (MCP), attackers utilize a "Fake Bug Report" social engineering vector to lure developers into opening booby-trapped repositories. These repositories contain a malicious .amazonq/mcp.json configuration file, which the AI agent automatically parses and executes with the developer's full environment privileges. This creates a direct pipeline from a local IDE session to enterprise cloud infrastructure compromise, enabling the exfiltration of live AWS credentials, API keys, and SSH agent access, effectively bypassing traditional perimeter-based security controls.
-
Threat Model & Vulnerability Overview
- Exploits the inherent trust relationship between AI coding agents and local workspace configurations.
- Leverages the Model Context Protocol (MCP) to extend agent capabilities into the local file system and network.
- Transitions AI assistants from passive LLM chatbots to active, high-privilege execution engines.
-
Attack Mechanics & Exploitation Vector
- Social Engineering: Attackers submit fraudulent bug reports via Sentry Error Events to direct developers toward malicious repositories.
- Payload Delivery: The attacker-controlled repository contains a hidden
.amazonq/mcp.jsonfile containing malicious instructions. - Automated Execution: Upon opening the workspace, the Amazon Q agent automatically parses the MCP file, executing the payload without explicit user authorization.
-
Systemic & Security Impact
- Blast Radius: Total compromise of the developer's local IDE environment and all associated security tokens.
- Cloud Pivoting: Enables a "git clone to cloud compromise" pipeline, allowing attackers to move from a local machine to enterprise AWS environments.
- Credential Theft: Immediate risk of exfiltrating live AWS IAM credentials, API keys, session tokens, and SSH agent access.
-
Detection & Mitigation
- Immediate Remediation: Upgrade Amazon Q Developer to Language Server version 1.65.0 or higher.
- Vendor Response: AWS Security Bulletin 2026-047 introduces mandatory consent prompts and workspace-trust validation.
- Defensive Strategy: Implementing strict workspace-trust policies and monitoring for unauthorized
.amazonq/configuration files.
-
Conclusion
- Represents a critical paradigm shift in software supply chain attacks via AI-driven "Agentjacking."
- Underscores the necessity for rigorous "Human-in-the-loop" verification for all agentic autonomous actions.
Related posts
- The Register - Security — Amazon Q flaw let booby-trapped Git repos execute code, swipe cloud creds
- vibegraveyard.ai — Amazon Q Developer ran code from any repo you opened, no consent asked
- Digitalapplied
- Labs
- Dev
- Medium
- Dark Reading — Fake Bug Report Hijacks AI Coding Agents at Scale