CVE-2026-12958
Arbitrary file write in Language Servers for AWS
Description
Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary. To remediate this issue, users should upgrade to version 1.69.0 or higher.
In plain language
AI Worth attentionLanguage Servers for AWS can be tricked into writing files anywhere on your computer when you open a workspace containing a malicious link; if your team uses this tool, you should update to the fixed version.
In Language Servers for AWS, a missing symlink validation allows arbitrary file write outside the workspace trust boundary when a user opens a malicious workspace that contains symlinks resolving to paths outside the trusted directory.
What to do now
- Check which version of Language Servers for AWS is installed in your developer environment.
- If it’s older than 1.69.0, upgrade to Language Servers for AWS 1.69.0 or higher.
- If you can’t upgrade right away, avoid opening untrusted repositories/workspaces that could contain malicious symlinks.
CVSS Vector Breakdown
AV:LAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:RUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
References
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-12958 and every CVE in our database. Create a free account — no credit card required.
Create Free Account