CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-12957

unknowncovered by 1 sourcefirst seen 2026-06-23
Bulletin ID: 2026-047-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/23/2026 09:30 AM PDT Description: Language Servers for AWS provide the underlying language-server runtime that powers Amazon Q Developer's AI coding assistance across its IDE plugins (Visual Studio Code, JetBrains, Eclipse, and Visual Studio). We identified CVE-2026-12957, an improper trust boundary enforcement issue in Language Servers for AWS before version 1.65.0. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted. We identified CVE-2026-12958, a missing symlink-validation issue in Language Servers for AWS before version 1.69.0. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary. These issues affect the Amazon Q Developer IDE plugins, which bundle Language Servers for AWS. Both issues are remediated in Language Servers for AWS version 1.69.0. Affected products & versions: - Language Servers for AWS: < 1.69. - Amazon Q Developer for Visual Studio Code: < 2.20 - Amazon Q Developer for JetBains: < 4.3 - Amazon Q Developer for Eclipse: < 2.7.4 - AWS Toolkit with Amazon Q for Visual Studio: < 1.94.0.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

vendor: AWSproduct: Language Servers for AWSOtheraffected: < 1.65.0, < 1.69.0
What
Improper trust boundary enforcement and missing symlink-validation issues could lead to command execution and symlink exploitation.
Who is affected
Local users of Language Servers for AWS before the specified versions are affected.
Urgency
Remediation is important due to the potential for local exploitation.
Action
Update to Language Servers for AWS version 1.65.0 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-12957

Get an email if CVE-2026-12957 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-12957

CVE.org record

Embed the live status

CVE-2026-12957 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-12957 status](https://www.csirts.com/badge/CVE-2026-12957)](https://www.csirts.com/cve/CVE-2026-12957)