Amazon Q vulnerability allows arbitrary code execution via MCP configurations
UNVERIFIED·Primary source · The Register
A high-severity flaw (CVE-2026-12957) in Amazon Q allowed automatic execution of commands from malicious configuration files.
The vulnerability could grant attackers access to developer credentials and cloud environments.
Amazon has released a patch in version 1.65.0.
Key Facts
01
01 — What / Thesis
Amazon Q vulnerability allows arbitrary code execution via MCP configurations
02
02 — Who / Subject
Amazon, Wiz
03
03 — Where / Locus
Global
04
04 — When / Temporality
June 2026
AI Verification Note
This article is generated by cross-referencing multiple sources and official announcements. Parts relying solely on testimony or reporting are reflected in the confidence score; content and assessment are updated as new information is confirmed.
