🟠 High | Source: AWS Security Bulletins
Two vulnerabilities have been identified in Language Servers for AWS, the runtime underpinning Amazon Q Developer’s IDE plugins for VS Code, JetBrains, Eclipse, and Visual Studio. CVE-2026-12957 allows arbitrary command execution when a user opens and trusts a maliciously crafted workspace, whilst CVE-2026-12958 enables path traversal outside the workspace boundary via a crafted symlink. Both issues are patched in Language Servers for AWS version 1.69.0 and corresponding plugin updates.
Security Architect’s Take: Enforce plugin update policies to ensure all developers are running the patched versions (Language Servers for AWS ≥ 1.69.0, and the corresponding IDE plugin versions) as a priority, and consider advising development teams to avoid trusting unknown or third-party workspaces until updates are confirmed deployed.
Original advisory: CVE-2026-12957 and CVE-2026-12958 - Issues in Language Servers for AWS and Amazon Q Developer Plugins