CVE-2026-12958
Received Received - Intake
Missing symlink validation in AWS Language Servers

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: AMZN

Description
Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary. To remediate this issue, users should upgrade to version 1.69.0 or higher.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-12958
EUVD
EUVD-2026-38489
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aws language_servers From 1.69.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To remediate this issue, users should upgrade to version 1.69.0 or higher of the AWS Language Servers.

Executive Summary

This vulnerability involves missing symlink validation in Language Servers for AWS. It allows a local user to write arbitrary files outside of the intended workspace trust boundary by opening a workspace containing a maliciously crafted symbolic link that points to a file path outside the trusted workspace.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

The vulnerability can lead to unauthorized file writes outside the trusted workspace, potentially allowing an attacker to modify or create files in sensitive locations. This could result in data corruption, privilege escalation, or compromise of system integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12958. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart