Input Validation Flaw in Kiro CLI Tool by Kiro
CVE-2026-9255

8.4HIGH

Key Information:

Vendor: Aws
Status: Kiro Cli
Vendor: CVE Published:; 22 May 2026

What is CVE-2026-9255?

A security vulnerability in Kiro CLI prior to version 1.28.0 allows local attackers to exploit a missing input source validation in the tool authorization prompt. This absence enables them to execute arbitrary tools and shell commands without requiring user approval. By manipulating content that is piped to Kiro CLI via standard input, attackers can bypass security measures, posing a significant risk to system integrity and security. Users are advised to upgrade to Kiro CLI version 1.28.0 or later to mitigate this vulnerability.

Affected Version(s)

Kiro CLI 0 < 1.28.0

References

https://kiro.dev/changelog/cli/1-28/

release-notes

https://aws.amazon.com/security/security-bulletins/2026-0...

vendor-advisory

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-9255 Data

JSON

Aws

What is CVE-2026-9255?

Affected Version(s)

References

CVSS V4

Timeline