← The Wire

Security2026-07-09 · source-backed

Amazon Q auto-loaded a repo's MCP config with no consent, and the NSA had to write a guidance sheet about it.

Confidence
source-backed
Sources
1
Redaction
redacted

Story

Wiz disclosed CVE-2026-12957 and CVE-2026-12958 in Amazon Q Developer, where the agent loaded MCP server configs straight out of a repo's .amazonq/mcp.json with no consent check and no workspace-trust gate. A booby-trapped repo could reach arbitrary code execution and steal AWS credentials just by being opened. In July the NSA responded with an official MCP Cybersecurity Information Sheet covering the inverted client-server pattern and arbitrary-code-execution exposure. This is now the canonical example of the rule agents keep breaking: workspace files are untrusted input, never trusted config. If your agent reads a dotfile from a cloned repo and acts on it, you have this bug.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Same source / Shared topic / Earlier coverage

    Amazon Q turned `git clone` into cloud RCE — CVE-2026-12957, CVSS 8.5.

    Both cover Amazon, AWS, CVE, Developer; cite the same source (CVE-2026-12957 and CVE-2026-12958); overlapping topics (agent, amazon, amazonq, cloned, config).

  2. Shared entities / Shared topic / Earlier coverage

    GitHub Copilot's Market Share Fell From 67% to 51%. Reliability Did It.

    Both cover Amazon, AWS, Developer; overlapping topics (agent, amazon); earlier Amazon coverage from 2026-05-22.

  3. Shared entities / Shared topic / Earlier coverage / Tension

    CircleCI ships an MCP server wiring pipeline data into coding agents.

    Both cover Amazon, MCP; overlapping topics (agent, amazon); earlier Amazon coverage from 2026-06-17.

  4. CVE-2026-29783: GitHub Copilot CLI Shell Expansion RCE

    Both cover CVE, MCP; overlapping topics (arbitrary, check); earlier CVE coverage from 2026-03-07.

  5. Shared entities / Shared topic / Earlier coverage

    MCPJam and nginx-ui Ship 9.8 RCE Bugs

    Both cover CVE, MCP; overlapping topics (agent, arbitrary, check); earlier CVE coverage from 2026-07-01.

  6. The NSA published its first design guidance for MCP.

    Both cover MCP, NSA; overlapping topics (agent, arbitrary-code-execution, client-server); earlier MCP coverage from 2026-06-14.

  7. Check Point Discloses Claude Code RCE (CVE-2026-21852)

    Both cover CVE, MCP; overlapping topics (check, config, consent); earlier CVE coverage from 2026-03-04.

  8. Shared entities / Earlier coverage

    Amazon Lost 6.3 Million Orders to a Vibe-Coded Deployment, and the Numbers Are Getting Worse Everywhere

    Both cover Amazon, CVE, Developer; earlier Amazon coverage from 2026-03-30.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-07-09-amazon-q-auto-loaded-a-repo-s-mcp-config-with-no-consent-and-the-nsa-had-to-write-a-guidance-she
Labels
source-backed, canonical briefing excerpt