Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open.

To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.

AI Analysis

Insufficient access control in Kiro IDE file write tool allows remote unauthenticated command execution via crafted instructions

Basic Information

ID CVE-2026-10591

Source AMZN

Published Jun 2, 2026 at 15:34

Affected Product

Vendor AWS

Product Kiro IDE

Affected Versions AWS Kiro IDE 0

CWE Classification

CWE-732

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Amazon

Product Kiro IDE

Version before 0.11

References

{
    "lastseen": "",
    "description": "Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths  (such as .vscode/tasks.json), enabling auto-execution on folder open.\n\n\n\nTo remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.",
    "published": "2026-06-02T15:34:40.106Z",
    "modified": "2026-06-02T15:34:40.106Z",
    "type": "cve",
    "title": "Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths",
    "source": "AMZN",
    "references": "https://kiro.dev/changelog/ide/0-11/\nhttps://aws.amazon.com/security/security-bulletins/2026-037-aws/",
    "id": "CVE-2026-10591",
    "bulletinFamily": "",
    "cwe": [
        "CWE-732"
    ],
    "cvelist": null,
    "sourceData": "AWS Kiro IDE 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Kiro IDE",
    "version": "0",
    "vendor": "AWS",
    "ai_description": "Insufficient access control in Kiro IDE file write tool allows remote unauthenticated command execution via crafted instructions",
    "ai_severity": "High",
    "ai_vendor": "Amazon",
    "ai_product": "Kiro IDE",
    "ai_version": "before 0.11",
    "ai_score": 8.8
}

Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths_CVE-2026-10591