← Back to Daily Briefing

Agentjacking: CVE-2026-12957 Exploits Amazon Q via Malicious MCP Configurations

Published July 6, 2026

Wiz Research has identified a high-severity vulnerability (CVE-2026-12957, CVSS 8.5) in Amazon Q Developer that allows for remote code execution (RCE) via "Agentjacking." By leveraging the Model Context Protocol (MCP), attackers utilize a "Fake Bug Report" social engineering vector to lure developers into opening booby-trapped repositories. These repositories contain a malicious .amazonq/mcp.json configuration file, which the AI agent automatically parses and executes with the developer's full environment privileges. This creates a direct pipeline from a local IDE session to enterprise cloud infrastructure compromise, enabling the exfiltration of live AWS credentials, API keys, and SSH agent access, effectively bypassing traditional perimeter-based security controls.

  • Threat Model & Vulnerability Overview

    • Exploits the inherent trust relationship between AI coding agents and local workspace configurations.
    • Leverages the Model Context Protocol (MCP) to extend agent capabilities into the local file system and network.
    • Transitions AI assistants from passive LLM chatbots to active, high-privilege execution engines.
  • Attack Mechanics & Exploitation Vector

    • Social Engineering: Attackers submit fraudulent bug reports via Sentry Error Events to direct developers toward malicious repositories.
    • Payload Delivery: The attacker-controlled repository contains a hidden .amazonq/mcp.json file containing malicious instructions.
    • Automated Execution: Upon opening the workspace, the Amazon Q agent automatically parses the MCP file, executing the payload without explicit user authorization.
  • Systemic & Security Impact

    • Blast Radius: Total compromise of the developer's local IDE environment and all associated security tokens.
    • Cloud Pivoting: Enables a "git clone to cloud compromise" pipeline, allowing attackers to move from a local machine to enterprise AWS environments.
    • Credential Theft: Immediate risk of exfiltrating live AWS IAM credentials, API keys, session tokens, and SSH agent access.
  • Detection & Mitigation

    • Immediate Remediation: Upgrade Amazon Q Developer to Language Server version 1.65.0 or higher.
    • Vendor Response: AWS Security Bulletin 2026-047 introduces mandatory consent prompts and workspace-trust validation.
    • Defensive Strategy: Implementing strict workspace-trust policies and monitoring for unauthorized .amazonq/ configuration files.
  • Conclusion

    • Represents a critical paradigm shift in software supply chain attacks via AI-driven "Agentjacking."
    • Underscores the necessity for rigorous "Human-in-the-loop" verification for all agentic autonomous actions.

Related posts

  1. The Register - Security — Amazon Q flaw let booby-trapped Git repos execute code, swipe cloud creds
  2. vibegraveyard.ai — Amazon Q Developer ran code from any repo you opened, no consent asked
  3. Digitalapplied
  4. Labs
  5. Dev
  6. Medium
  7. Dark Reading — Fake Bug Report Hijacks AI Coding Agents at Scale

LINK COPIED TO CLIPBOARD