Insufficient Access Control in Amazon Kiro IDE
CVE-2026-10591

8.6HIGH

Key Information:

Vendor: Aws
Status: Kiro Ide
Vendor: CVE Published:; 2 June 2026

What is CVE-2026-10591?

The file write tool in Amazon Kiro IDE, prior to version 0.11, contains insufficient access control restrictions. This weakness allows remote unauthenticated actors to execute arbitrary commands by sending crafted instructions that enable writes to sensitive execution paths, such as .vscode/tasks.json. The result can lead to auto-execution when the folder is opened, presenting significant security risks. Users are advised to upgrade to version 0.11 or later to mitigate this vulnerability.

Affected Version(s)

Kiro IDE 0 < 11

References

https://kiro.dev/changelog/ide/0-11/

release-notes

https://aws.amazon.com/security/security-bulletins/2026-0...

vendor-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Jun 1, 2026

Credit

Cymulate

CVE-2026-10591 Data

JSON

Aws

What is CVE-2026-10591?

Affected Version(s)

References

CVSS V4

Timeline

Credit