CVE-2026-12957: Four AI Coding Tools, One Architectural Flaw

Cloning a repository and activating an AI coding assistant is now a credible initial-access vector. CVE-2026-12957, rated CVSS 4.0 score 8.5, exposes a design assumption failure shared across Amazon Q, Claude Code, Cursor, and Windsurf: MCP server configuration files inside a repository execute automatically, with full inheritance of the developer's environment, and no confirmation prompt. AWS was notified April 20, patched the language server on May 12, and the public advisory dropped June 26.

What the vulnerability actually does#

The Model Context Protocol lets AI assistants spawn local processes to carry out tasks. In Amazon Q's case, the extension automatically loaded .amazonq/mcp.json from within a cloned workspace and executed whatever commands it contained. As Wiz described it: "no prompt, no consent, no workspace trust check."

Those processes inherit the developer's shell environment. That means active AWS credentials, SSH agent sockets, API keys, and session tokens , all of it available to whatever the config file instructs the system to run. Wiz proved the attack by building a repository with a malicious MCP configuration, activating Amazon Q, and watching it execute a command against AWS using the developer's existing credentials. The fix, language server version 1.65.0, enforces a trust boundary that should have been there from day one.

The CVE is formally described as "improper trust boundary enforcement in Language Servers for AWS before version 1.65.0." Four IDE plugins are affected: VS Code (fixed in Amazon Q Developer 2.20), JetBrains (4.3), Eclipse (2.7.4), and Visual Studio (1.94.0.0). A companion vulnerability, CVE-2026-12958, covers a symbolic link handling failure in the same codebase.

The parallel attack that bypasses static scanners#

On June 27, Mozilla's Zero Day Investigative Network (0DIN) published a separate finding that makes the Amazon Q disclosure look like the conservative case. The 0DIN attack requires no malicious code in the repository at all.

The method works in three steps. A clean-looking repo includes standard setup instructions. The Python package it references refuses to run until initialized, generating an error that instructs the user to run python3 -m axiom init. Claude Code treats this as a routine setup problem and runs the suggested command automatically. That init script fetches its actual payload from a DNS TXT record controlled by the attacker, then executes it. As 0DIN described it: "Claude Code never decided to run a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated."

Static scanners see a clean repository. The AI agent's own review sees a dependency install sequence. The payload never touches the repo at all.

Four vendors, one assumption#

Wiz noted explicitly that the Amazon Q flaw is not unique to Amazon. Researchers have identified similar workspace configuration problems in Claude Code, Cursor, and Windsurf. The shared assumption across all four is that a developer who clones a repository has implicitly consented to whatever configuration files that repository contains.

That assumption made sense when config files configured editors. It does not hold when config files can instantiate processes with shell access and cloud credentials. The attack surface shifted the moment MCP gave those files execution semantics. Every tool that auto-loads workspace config at startup without an isolated trust check is carrying a version of this exposure.

Why pre-merge review tools face a structural problem here#

This matters specifically for any review system that runs inside the same agentic environment it is supposed to audit. A pre-merge tool that inherits the developer's credentials, reads the repository's config files, and executes setup steps as part of its workflow is exposed to exactly the same attack chain. The tool cannot serve as an authoritative check on files that can influence its own execution.

Hyrax approaches this differently. Reviews run in an isolated worktree, separate from the developer's credential environment. The six agent domains , security, code quality, reliability, API and data, ops, UX , include inspection of what configuration files a repository introduces and what those files are authorized to execute. That category, what runs on clone and what MCP servers a repository attempts to register, needs to be treated as a first-class security finding, not an afterthought.

The hallucinated dependency attack covered the hallucinated dependency attack as a supply chain surface that AI coding agents created. CVE-2026-12957 is the next layer: the agents themselves are now the surface.

What the pattern means going forward#

The Amazon Q disclosure is one of four coordinated findings from different research teams in the same week. That clustering is not coincidence. It reflects a research community that has shifted focus from what AI assistants write to how AI assistants run. The attack surface has moved from generated code to the tooling layer itself.

Attackers who want access to cloud infrastructure no longer need to compromise a CI/CD pipeline or find a zero-day in production software. A convincingly ordinary GitHub repository, a crafted MCP config file or a DNS TXT record, and a developer with an active AWS session is sufficient. The entry point is the development environment, and the credential exfiltration happens before a single line of the repository's code is reviewed or merged.

Governance at the repo level , which config files are trusted, which MCP servers are permitted to register, which setup commands require explicit confirmation , is no longer optional hardening. It is the control plane.

Hyrax is live at hyrax.dev.