CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-12957 and CVE-2026-12958 - Issues in Language Servers for AWS and Amazon Q Developer Plugins

unknownCVE-2026-12957CVE-2026-12958
Bulletin ID: 2026-047-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/23/2026 09:30 AM PDT Description: Language Servers for AWS provide the underlying language-server runtime that powers Amazon Q Developer's AI coding assistance across its IDE plugins (Visual Studio Code, JetBrains, Eclipse, and Visual Studio). We identified CVE-2026-12957, an improper trust boundary enforcement issue in Language Servers for AWS before version 1.65.0. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted. We identified CVE-2026-12958, a missing symlink-validation issue in Language Servers for AWS before version 1.69.0. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary. These issues affect the Amazon Q Developer IDE plugins, which bundle Language Servers for AWS. Both issues are remediated in Language Servers for AWS version 1.69.0. Affected products & versions: - Language Servers for AWS: < 1.69. - Amazon Q Developer for Visual Studio Code: < 2.20 - Amazon Q Developer for JetBains: < 4.3 - Amazon Q Developer for Eclipse: < 2.7.4 - AWS Toolkit with Amazon Q for Visual Studio: < 1.94.0.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

vendor: AWSproduct: Language Servers for AWSOtheraffected: < 1.65.0, < 1.69.0
What
Improper trust boundary enforcement and missing symlink-validation issues could lead to command execution and symlink exploitation.
Who is affected
Local users of Language Servers for AWS before the specified versions are affected.
Urgency
Remediation is important due to the potential for local exploitation.
Action
Update to Language Servers for AWS version 1.65.0 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Language Servers for AWS

Get an email when a new Language Servers for AWS advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-23
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-047-aws/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-12957coverage & exploitation statusNVD · CVE.org
CVE-2026-12958coverage & exploitation statusNVD · CVE.org

More from AWS Security Bulletins