HIGH 8.8

CVE-2026-10591: Amazon Kiro IDE Remote Code Execution via Unsafe File Write

Amazon Kiro IDE before version 0.11 contains a flaw in its file write functionality that fails to properly restrict which directories and files can be modified. An attacker can exploit this by sending specially crafted instructions that trick the IDE into writing files to sensitive paths—such as VS Code configuration files that execute automatically when a folder is opened. This could allow remote code execution without requiring the user to authenticate or take risky steps beyond opening a project folder.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-732
Affected products
1 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient access control in Kiro IDE's file write tool (CWE-732: Improper Restriction of Rendered UI Layers or Frames). Before version 0.11, the tool does not adequately validate or restrict write operations to execution-sensitive paths. An attacker can craft malicious instructions that cause the IDE to write to files like .vscode/tasks.json, which VS Code automatically executes when a workspace is loaded. The attack vector is network-based, requires minimal complexity, and only needs user interaction (opening a folder), making it practical to exploit in real-world scenarios.

Business impact

A successful exploit allows arbitrary code execution on a developer's machine with the privileges of the IDE process. Attackers can steal source code, credentials, SSH keys, and environment secrets; inject malicious code into projects; establish persistence; or pivot to other systems on the developer's network. Teams managing shared or open-source projects face additional risk if contributors unknowingly open malicious project folders. The impact extends beyond individual developers to supply chain integrity, particularly if compromised projects are distributed downstream.

Affected systems

Amazon Kiro IDE versions prior to 0.11 are vulnerable. This affects development environments where Kiro IDE is installed, regardless of underlying OS, since the vulnerability is in the IDE's cross-platform file write logic. Developers who have not yet patched are at direct risk.

Exploitability

Exploitability is high. The attack requires no authentication, no special user privileges, and only social engineering or accidental interaction (opening a project folder). The CVSS score of 8.8 reflects this: network-accessible, low attack complexity, and high impact across confidentiality, integrity, and availability. No known public exploits are listed in CISA's KEV catalog, but the straightforward nature of the flaw means exploit code could be developed or weaponized quickly.

Remediation

Upgrade Amazon Kiro IDE to version 0.11 or later immediately. This patch restricts file write operations and prevents writes to execution-sensitive paths. Users should also review recent project folders they have opened for any unexpected task configuration files or suspicious entries in .vscode/tasks.json. Consider running a malware scan on affected systems and rotating any credentials or keys that may have been present in the development environment.

Patch guidance

Consult the official Amazon Kiro IDE release notes and update mechanism for version 0.11 or later. Verify the update signature and source to ensure you are downloading a legitimate patch. Organizations should test the patch in a non-production environment first, then deploy via their standard update process. For teams using multiple developer machines, consider automating or enforcing the update across all endpoints to prevent gaps in coverage.

Detection guidance

Monitor Kiro IDE file write operations and log any writes to .vscode/ directories, launch.json, tasks.json, or other execution-sensitive paths. Examine project folders for unexpected .vscode/tasks.json entries or suspicious shell commands within task definitions. Review IDE logs for unusual file write attempts originating from network instructions. Watch for indicators of compromise on developer machines, such as new network connections, unexpected process spawning, or exfiltration of source code or credentials. Network-based detection should flag requests that attempt to instruct Kiro IDE to write to sensitive paths.

Why prioritize this

This vulnerability should be treated as high-priority. It enables unauthenticated remote code execution on developer machines through a low-friction attack (opening a folder), with no exploitation barriers. Even without active KEV listing, the combination of high CVSS (8.8), ease of exploitation, and direct impact on code integrity and secrets makes rapid patching essential. Organizations with developers using Kiro IDE should prioritize this update within their patch management cycle.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) is justified by: network attack vector (AV:N) requiring no authentication (PR:N), low attack complexity (AC:L), minimal user interaction (UI:R—just opening a folder), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The attack does not require privilege escalation or access to other systems (S:U). The score appropriately reflects the real-world severity: a remote attacker can achieve code execution on a developer's machine with only social engineering or accidental interaction.

Frequently asked questions

What versions of Kiro IDE are affected?

All versions before 0.11 are vulnerable. Users should immediately update to 0.11 or later. Verify your current version in the IDE's About or Settings dialog and check for updates through the official release channel.

Can this vulnerability be exploited if I don't open a malicious project?

No. The attack requires user interaction—specifically, opening a project folder in Kiro IDE. If an attacker tricks you into opening a crafted project (e.g., via a pull request, shared link, or download), the malicious instructions execute automatically when the folder is opened. Exercise caution when opening unfamiliar projects, especially from untrusted sources.

Is there a workaround if I cannot patch immediately?

The safest interim mitigation is to avoid opening untrusted or unfamiliar project folders in Kiro IDE. If you must use Kiro IDE, review the contents of any .vscode/tasks.json files in project folders before opening them. Prefer downloading projects from trusted sources only. However, patching should remain the priority—upgrading to version 0.11+ is the definitive fix.

How can I tell if my system has been compromised by this vulnerability?

Check the .vscode/ directory in any projects you have opened recently for unexpected or suspicious task definitions, shell commands, or entries. Review IDE logs for unusual file write events. Run a malware scan on your development machine. If you suspect compromise, rotate all credentials, SSH keys, and API tokens that were present in your development environment, and notify your security team.

This analysis is provided for informational purposes and represents the current understanding of CVE-2026-10591 based on publicly available data as of the publication date. Users are responsible for verifying patch availability and compatibility within their specific environments. Always consult the vendor's official security advisory and release notes before applying patches. SEC.co makes no warranties regarding the completeness or accuracy of this analysis and assumes no liability for actions taken based on this information. Test all patches in non-production environments first. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).