AWS Language Server v1.69.0 Symlink Validation Flaw Enables Arbitrary File Write
CVE-2026-12958 Published on June 23, 2026
Arbitrary file write in Language Servers for AWS
Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary.
To remediate this issue, users should upgrade to version 1.69.0 or higher.
Vulnerability Analysis
CVE-2026-12958 is exploitable with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Symlink following Vulnerability?
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. A software system that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.
CVE-2026-12958 has been classified to as a Symlink following vulnerability or weakness.
Products Associated with CVE-2026-12958
Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.
Affected Versions
Amazon Web Services Language Servers for AWS:- Before 1.69.0 is affected.