Missing Symlink Validation in AWS Language Servers
CVE-2026-12958

8.5HIGH

Key Information:

Vendor: Amazon Web Services
Status: Language Servers For Aws
Vendor: CVE Published:; 23 June 2026

🔔 Create Amazon Web Services Vulnerability Alert

What is CVE-2026-12958?

A vulnerability in the Language Servers for AWS has been identified where missing symlink validation can potentially allow a local user to perform arbitrary file writes outside of the designated workspace trust boundary. This occurs when a workspace is opened that contains a maliciously crafted symlink pointing to a file path external to the secure workspace. Users are advised to upgrade to version 1.69.0 or higher to mitigate this risk.

Affected Version(s)

Language Servers for AWS 0 < 1.69.0

References

https://aws.amazon.com/security/security-bulletins/2026-0...

vendor-advisory

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 23, 2026

CVE-2026-12958 Data

JSON