Description
Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted.



To remediate this issue, users should upgrade to Language Servers for AWS version 1.65.0 or higher.
Published: 2026-06-23
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from improper trust boundary enforcement in Amazon Web Services Language Servers for AWS. A maliciously crafted workspace can cause any commands listed in the project's configuration files to be executed automatically. The result is arbitrary code execution on the local machine, giving an attacker full control over the affected system.

Affected Systems

Affected versions are all Language Servers for AWS releases prior to 1.65.0 across all supported platforms. Users of earlier releases should verify their current version and consider the risk.

Risk and Exploitability

8.5, indicating a high severity. The EPSS is not available, and the issue is not yet listed in CISA's KEV catalog. Attackers must have local access to the target machine and must be persuaded to open a malicious workspace; once the prerequisite and the significant impact, the overall risk warrants immediate remediation.

Generated by OpenCVE AI on June 24, 2026 at 11:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Language Servers for AWS to version 1.65.0 or later
  • Avoid opening workspaces from untrusted sources until the update is applied
  • Disable automatic execution of workspace configuration commands if the server allows configuration, or configure the workspace to prompt before execution

Generated by OpenCVE AI on June 24, 2026 at 11:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Amazon
Amazon language Servers For Aws
Vendors & Products Amazon
Amazon language Servers For Aws

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
References

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to Language Servers for AWS version 1.65.0 or higher.
Title Arbitrary Code Execution in Language Servers for AWS
Weaknesses CWE-732
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Amazon Language Servers For Aws
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-06-23T17:50:18.371Z

Reserved: 2026-06-23T01:55:35.714Z

Link: CVE-2026-12957

cve-icon Vulnrichment

Updated: 2026-06-23T17:50:13.572Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:15:04Z

Weaknesses
  • CWE-732

    Incorrect Permission Assignment for Critical Resource