CVE-2026-10591
HIGHKiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths
Title source: cnaDescription
Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.
References (2)
Core 2
Core References
Release Notes release-notes
https://kiro.dev/changelog/ide/0-11/
Vendor Advisory vendor-advisory
https://aws.amazon.com/security/security-bulletins/2026-037-aws/
Scores
CVSS v3
8.8
EPSS
0.0042
EPSS Percentile
33.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-732
Status
published
Products (2)
amazon/kiro_ide
< 0.11
AWS/Kiro IDE
< 11
Published
Jun 02, 2026
Tracked Since
Jun 02, 2026