Researchers at Wiz disclosed a high-severity flaw in the Amazon Q Developer extension for Visual Studio Code that could let attackers steal developers’ cloud credentials by tricking them into opening a malicious repository. AWS has patched the issue as CVE-2026-12957, along with a related symbolic link flaw CVE-2026-12958, and released fixes across affected IDE plugins and the language server. #AmazonQDeveloper #Wiz #AWS #CVE-2026-12957 #CVE-2026-12958
Keypoints
- Wiz found a high-severity vulnerability in Amazon Q Developer for Visual Studio Code.
- A malicious repository could trigger attacker-controlled commands when opened.
- The flaw could expose cloud credentials and API keys from the developer’s environment.
- AWS patched the issue as CVE-2026-12957 and fixed a related CVE-2026-12958 problem.
- The issue affected Amazon Q Developer plugins for VS Code, JetBrains, Eclipse, Visual Studio, and the language server.