Amazon Q MCP config trust gap enabled repo-to-credential execution in four IDEs

Wiz demonstrated the chain in coordinated disclosure April 20: Amazon Q Language Servers read the MCP file from an untrusted workspace, launched the defined server, and passed the caller's AWS keys, tokens, and agent sockets without further gate. The same runtime ships in VS Code, JetBrains, Eclipse, and Visual Studio plugins, so all four were exposed until 1.65.0. AWS advisory language emphasizes the workspace prompt while omitting that MCP servers themselves required no explicit approval before the fix.

The pattern is structural. Claude Code (CVE-2025-59536), Cursor (CVE-2025-54136), and Windsurf (CVE-2026-30615) each converted project-level configuration into executable behavior with inadequate boundary checks. Repo-carried MCP entries are attacker-controlled input; turning them into local processes with ambient credentials collapses the trust model that workspace prompts were meant to protect.

A second flaw, CVE-2026-12958, allowed symlink writes outside the workspace boundary and was closed in the same 1.69.0 build. No in-the-wild exploitation is recorded in CISA ADP, yet the attack requires only a public repo and a developer who trusts their own clone.

Patched minimums are VS Code 2.20, JetBrains 4.3, Eclipse 2.7.4, Visual Studio 1.94.0.0. Language Servers auto-update unless blocked; reload pulls the new binary. Future agents must treat any MCP registration from a workspace as untrusted input requiring per-server explicit consent.