CVE-2026-12957
Received Received - Intake
Improper Trust Boundary Enforcement in AWS Language Servers

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: AMZN

Description
Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to Language Servers for AWS version 1.65.0 or higher.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-12957
EUVD
EUVD-2026-38488
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
amazon language_servers_for_aws 1.65.0
amazon language_servers_for_aws to 1.65.0 (exc)
amazon language_servers_for_aws to 1.69.0 (exc)
amazon q_developer *
amazon q_developer visual_studio_code
amazon q_developer jetbrains
amazon q_developer eclipse
amazon q_developer visual_studio
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12957 is a vulnerability in the Language Servers for AWS used by Amazon Q Developer plugins in various IDEs such as Visual Studio Code, JetBrains, Eclipse, and Visual Studio. It involves improper trust boundary enforcement in versions before 1.65.0. Specifically, if a local user opens a maliciously crafted workspace and trusts it when prompted, commands within the project's configuration files may be automatically executed without further user interaction.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can lead to arbitrary code execution on your system if you open and trust a maliciously crafted workspace in the affected Language Servers for AWS versions. This means an attacker could execute harmful commands or code on your machine without your explicit consent beyond trusting the workspace, potentially compromising your system's security and data.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Language Servers for AWS to version 1.65.0 or higher.

Additionally, ensure that you do not trust any maliciously crafted workspace when prompted, as the vulnerability requires user trust to be exploited.

No workarounds are available other than upgrading to the fixed versions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12957. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart