← The Wire

Security2026-06-26 · source-backed

Amazon Q turned `git clone` into cloud RCE — CVE-2026-12957, CVSS 8.5.

Confidence
source-backed
Sources
2
Redaction
passed

Story

Wiz Research disclosed that Amazon Q Developer auto-launched MCP servers defined in a repo's .amazonq/mcp.json, so a single config file in a cloned repo could execute code with your live AWS keys, cloud CLI tokens, and SSH agent attached. Reported April 20, fixed May 12, public writeup June 26. No known exploitation, but it's a textbook "repo config equals code execution" failure. The defense is concrete: treat any MCP config shipped inside a repo as untrusted code, disable auto-start of repo-defined servers, require explicit approval before spawning them.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / Earlier coverage

    10 Skills of the Day

    Both cover AWS, CLI, CVSS, MCP; overlapping topics (agent, code); earlier AWS coverage from 2026-03-25.

  2. Shared entities / Shared topic / Earlier coverage / Tension

    MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth

    Both cover CVE, CVSS, MCP, RCE; overlapping topics (code, server); earlier CVE coverage from 2026-03-23.

  3. Shared entities / Shared topic / Earlier coverage

    One click to RCE: ~12,520 exposed MCP servers and a symlink trick that owns six major coding agents

    Both cover MCP, RCE, SSH; overlapping topics (agent, code, config, repo, server); earlier MCP coverage from 2026-06-07.

  4. The Agent Security Crisis Is Here: 36% of ClawHub Skills Malicious, 30+ MCP CVEs, RCE in Microsoft Agent Framework

    Both cover CVE, CVSS, MCP, RCE; overlapping topics (agent, code); earlier CVE coverage from 2026-03-05.

  5. Claude Code Hooks Vulnerability: RCE via Malicious Repo Config

    Both cover CVE, CVSS, RCE; overlapping topics (agent, code, config, repo); earlier CVE coverage from 2026-03-03.

  6. Shared entities / Shared topic / Tension

    The config file is the new attack surface, across every IDE.

    Both cover CLI, MCP, RCE; overlapping topics (amazon, code, config); pushes against this story (vs).

  7. Shared entities / Shared topic / Earlier coverage

    CVE-2026-27825: CVSS 10.0 Unauthenticated RCE in mcp-atlassian MCP Server

    Both cover CVE, CVSS, MCP; overlapping topics (agent, code, server); earlier CVE coverage from 2026-03-20.

  8. Vibe Coding Security Debt: Agents Systematically Remove Safety Controls

    Both cover CVE, CVSS, RCE; overlapping topics (agent, code, config); earlier CVE coverage from 2026-03-03.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-06-26-amazon-q-turned-git-clone-into-cloud-rce-cve-2026-12957-cvss-8-5
Labels
source-backed, canonical briefing excerpt