Tip: If You Use Amazon Q, Move to AWS Language Server 1.69.0 (CVE-2026-12957/12958)
Wiz·low signal
Amazon Q auto-loaded a repo's .amazonq/mcp.json and executed the servers it defined on project open — no consent prompt — inheriting AWS keys, CLI tokens, and SSH sockets (CVSS 8.5). It's fixed in Language Server 1.65.0, but AWS's bulletin tells customers to move to 1.69.0. Updates are automatic unless your network blocks them, so verify the version if you work in locked-down environments.