CVE-2026-12958: CWE-61 UNIX symbolic link (symlink) following in Amazon Web Services Language Servers for AWS
Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary. To remediate this issue, users should upgrade to version 1.69.0 or higher.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-12958 (CWE-61) affects AWS Language Servers due to missing validation of symbolic links. This allows an attacker with local access to craft a symlink that points outside the workspace trust boundary, enabling arbitrary file writes beyond intended restrictions. The issue is mitigated by upgrading the Language Servers for AWS to version 1.69.0 or higher. AWS manages this as a cloud service, and the vendor advisory confirms the availability of a fix.
Potential Impact
An attacker with local user access can exploit this vulnerability to write files arbitrarily outside the workspace trust boundary, potentially leading to unauthorized modification of files and escalation of privileges within the affected environment. The CVSS 4.0 score of 8.5 reflects high impact due to the combination of local attack vector, low complexity, and high confidentiality, integrity, and availability impacts.
Mitigation Recommendations
Upgrade the AWS Language Servers to version 1.69.0 or later, as this version contains the fix for the symlink validation vulnerability. Since this is a cloud service managed by AWS, the vendor handles remediation server-side. Users should verify they are using the updated version per the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-047-aws/.
CVE-2026-12958: CWE-61 UNIX symbolic link (symlink) following in Amazon Web Services Language Servers for AWS
Description
Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary. To remediate this issue, users should upgrade to version 1.69.0 or higher.
CVSS v4.0
Score 8.5high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2026-12958 (CWE-61) affects AWS Language Servers due to missing validation of symbolic links. This allows an attacker with local access to craft a symlink that points outside the workspace trust boundary, enabling arbitrary file writes beyond intended restrictions. The issue is mitigated by upgrading the Language Servers for AWS to version 1.69.0 or higher. AWS manages this as a cloud service, and the vendor advisory confirms the availability of a fix.
Potential Impact
An attacker with local user access can exploit this vulnerability to write files arbitrarily outside the workspace trust boundary, potentially leading to unauthorized modification of files and escalation of privileges within the affected environment. The CVSS 4.0 score of 8.5 reflects high impact due to the combination of local attack vector, low complexity, and high confidentiality, integrity, and availability impacts.
Mitigation Recommendations
Upgrade the AWS Language Servers to version 1.69.0 or later, as this version contains the fix for the symlink validation vulnerability. Since this is a cloud service managed by AWS, the vendor handles remediation server-side. Users should verify they are using the updated version per the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-047-aws/.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- AMZN
- Date Reserved
- 2026-06-23T01:55:37.178Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
- Vendor Advisory Urls
- [{"url":"https://aws.amazon.com/security/security-bulletins/2026-047-aws/","vendor":"AWS"}]
Threat ID: 6a3ab6d7eed863c81e4f98f6
Added to database: 06/23/2026, 16:39:51 UTC
Last enriched: 06/23/2026, 17:10:04 UTC
Last updated: 06/23/2026, 20:17:40 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.