CVE-2026-4295
Received Received - Intake

Remote Code Execution via Trust Boundary Bypass in Kiro IDE

Vulnerability report for CVE-2026-4295, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-17

Last updated on: 2026-03-17

Assigner: AMZN

Description

Improper trust boundary enforcement in Kiro IDE before version 0.8.0 on all supported platforms might allow a remote unauthenticated threat actor to execute arbitrary code via maliciously crafted project directory files that bypass workspace trust protections when a local user opens the directory. To remediate this issue, users should upgrade to version 0.8.0 or higher.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-17
Last Modified
2026-03-17
Generated
2026-07-06
AI Q&A
2026-03-17
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
kiro ide to 0.8.0 (inc)
kiro ide to 0.8.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-4295 is a vulnerability in Kiro IDE versions before 0.8.0 where improper enforcement of trust boundaries allows a remote unauthenticated attacker to execute arbitrary code. This happens when a local user opens a maliciously crafted project directory that bypasses the workspace trust protections.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to arbitrary code execution on your system if you open a malicious project directory in Kiro IDE versions prior to 0.8.0. This means an attacker could run harmful code without your permission, potentially compromising your system's confidentiality, integrity, and availability."}] [2]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, users should upgrade Kiro IDE to version 0.8.0 or higher.

If immediate upgrade is not possible, avoid opening untrusted or suspicious project directories in the Kiro IDE to prevent arbitrary code execution.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4295. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart