Security2026-06-26 · source-backed
Amazon Q turned `git clone` into cloud RCE — CVE-2026-12957, CVSS 8.5.
Story
Wiz Research disclosed that Amazon Q Developer auto-launched MCP servers defined in a repo's .amazonq/mcp.json, so a single config file in a cloned repo could execute code with your live AWS keys, cloud CLI tokens, and SSH agent attached. Reported April 20, fixed May 12, public writeup June 26. No known exploitation, but it's a textbook "repo config equals code execution" failure. The defense is concrete: treat any MCP config shipped inside a repo as untrusted code, disable auto-start of repo-defined servers, require explicit approval before spawning them.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / Earlier coverage
10 Skills of the Day
Both cover AWS, CLI, CVSS, MCP; overlapping topics (agent, code); earlier AWS coverage from 2026-03-25.
Shared entities / Shared topic / Earlier coverage / Tension
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover CVE, CVSS, MCP, RCE; overlapping topics (code, server); earlier CVE coverage from 2026-03-23.
Shared entities / Shared topic / Earlier coverage
One click to RCE: ~12,520 exposed MCP servers and a symlink trick that owns six major coding agents
Both cover MCP, RCE, SSH; overlapping topics (agent, code, config, repo, server); earlier MCP coverage from 2026-06-07.
The Agent Security Crisis Is Here: 36% of ClawHub Skills Malicious, 30+ MCP CVEs, RCE in Microsoft Agent Framework
Both cover CVE, CVSS, MCP, RCE; overlapping topics (agent, code); earlier CVE coverage from 2026-03-05.
Claude Code Hooks Vulnerability: RCE via Malicious Repo Config
Both cover CVE, CVSS, RCE; overlapping topics (agent, code, config, repo); earlier CVE coverage from 2026-03-03.
Shared entities / Shared topic / Tension
The config file is the new attack surface, across every IDE.
Both cover CLI, MCP, RCE; overlapping topics (amazon, code, config); pushes against this story (vs).
Shared entities / Shared topic / Earlier coverage
CVE-2026-27825: CVSS 10.0 Unauthenticated RCE in mcp-atlassian MCP Server
Both cover CVE, CVSS, MCP; overlapping topics (agent, code, server); earlier CVE coverage from 2026-03-20.
Vibe Coding Security Debt: Agents Systematically Remove Safety Controls
Both cover CVE, CVSS, RCE; overlapping topics (agent, code, config); earlier CVE coverage from 2026-03-03.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — June 26, 2026
- AI generated
- no
- Story unit
- 2026-06-26-amazon-q-turned-git-clone-into-cloud-rce-cve-2026-12957-cvss-8-5
- Labels
- source-backed, canonical briefing excerpt