CVE-2026-4295
Received Received - Intake
Remote Code Execution via Trust Boundary Bypass in Kiro IDE

Publication date: 2026-03-17

Last updated on: 2026-03-17

Assigner: AMZN

Description
Improper trust boundary enforcement in Kiro IDE before version 0.8.0 on all supported platforms might allow a remote unauthenticated threat actor to execute arbitrary code via maliciously crafted project directory files that bypass workspace trust protections when a local user opens the directory. To remediate this issue, users should upgrade to version 0.8.0 or higher.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4295
EUVD
EUVD-2026-12638
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kiro ide to 0.8.0 (inc)
kiro ide to 0.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4295 is a vulnerability in Kiro IDE versions before 0.8.0 where improper enforcement of trust boundaries allows a remote unauthenticated attacker to execute arbitrary code. This happens when a local user opens a maliciously crafted project directory that bypasses the workspace trust protections.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to arbitrary code execution on your system if you open a malicious project directory in Kiro IDE versions prior to 0.8.0. This means an attacker could run harmful code without your permission, potentially compromising your system's confidentiality, integrity, and availability."}] [2]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, users should upgrade Kiro IDE to version 0.8.0 or higher.

If immediate upgrade is not possible, avoid opening untrusted or suspicious project directories in the Kiro IDE to prevent arbitrary code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4295. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart