Description
Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary.



To remediate this issue, users should upgrade to version 1.69.0 or higher.
Published: 2026-06-23
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing symlink validation that allows an attacker to create a link pointing to a file outside the trusted workspace and cause the Language Server to write data to that location. This results in unauthorized file modification, which can compromise system integrity. The flaw is a classic path traversal vulnerability (CWE‑61).

Affected Systems

All instances of Amazon Web Services Language Servers for AWS that run a version earlier than 1.69.0 are affected. Users who run older releases or have not applied the 1.69.0 update must consider this vulnerability.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity. EPSS data is not available, so the likelihood of exploitation is uncertain at this time. The likely attack vector is local, as the description suggests that a user must open a maliciously crafted workspace to trigger the write. The flaw is not listed in the CISA KEV catalog, implying no confirmed public exploits yet. Nonetheless, the ability to arbitrarily write files outside the workspace boundary poses a significant risk to confidentiality and integrity.

Generated by OpenCVE AI on June 24, 2026 at 11:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Language Server to version 1.69.0 or newer to apply the fix for symlink validation.
  • Before opening any workspace, audit it to ensure that no symlinks point to paths outside the intended directories and avoid opening workspaces from untrusted sources.
  • Configure file system permissions so that only authorized processes can write to critical directories and enforce the workspace trust boundary at the operating‑system level.

Generated by OpenCVE AI on June 24, 2026 at 11:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Amazon
Amazon language Servers For Aws
Vendors & Products Amazon
Amazon language Servers For Aws

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
References

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary. To remediate this issue, users should upgrade to version 1.69.0 or higher.
Title Arbitrary file write in Language Servers for AWS
Weaknesses CWE-61
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Amazon Language Servers For Aws
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-06-23T17:56:13.812Z

Reserved: 2026-06-23T01:55:37.178Z

Link: CVE-2026-12958

cve-icon Vulnrichment

Updated: 2026-06-23T17:56:10.517Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:15:04Z

Weaknesses
  • CWE-61

    UNIX Symbolic Link (Symlink) Following