CVE-2026-12957 | Improper trust boundary enforcement in Language Servers for … | CVSS 7.8 HIGH

Description

Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to Language Servers for AWS version 1.65.0 or higher.

Metadata

CVE ID: CVE-2026-12957
State: PUBLISHED
Assigner: AMZN
Reserved: 2026-06-23 01:55 UTC
Published: 2026-06-23 16:02 UTC
Last updated: 2026-06-23 17:50 UTC
Primary CWE: CWE-732
CWE-732: Incorrect Permission Assignment for Critical Resour…
Vendor / Product: Amazon Web Services / Language Servers for AWS
Sources: cve.org · NVD

Severity & Metrics

7.8 HIGH CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Amazon Web Services	Language Servers for AWS	—	0 < 1.65.0

Weakness (CWE)

CWE	Source	Description
CWE-732	cna	CWE-732: Incorrect Permission Assignment for Critical Resource

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.5	HIGH	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
7.8	HIGH	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (2)