CVE-2026-10591
Analyzed Analyzed - Analysis Complete

Arbitrary Command Execution in Amazon Kiro IDE

Vulnerability report for CVE-2026-10591, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-02

Last updated on: 2026-06-05

Assigner: AMZN

Description

Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-02
Last Modified
2026-06-05
Generated
2026-07-13
AI Q&A
2026-06-02
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
amazon kiro_ide to 0.11 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how CVE-2026-10591 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-10591 is a vulnerability in the Amazon Kiro IDE before version 0.11 where insufficient access control restrictions in the file write tool allow remote unauthenticated actors to execute arbitrary commands.

This happens because attackers can craft instructions that write to execution-sensitive paths such as .vscode/tasks.json, which triggers automatic execution when a folder is opened.

The vulnerability enables attackers to run commands remotely without authentication, potentially compromising the system.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution, which can lead to full compromise of the affected system.

  • Attackers can execute arbitrary commands remotely without needing any authentication.
  • It can result in high confidentiality, integrity, and availability impacts as indicated by the CVSS scores.
  • Malicious commands could be executed automatically when a user opens a folder, potentially spreading malware or stealing data.
Detection Guidance

There are no specific detection methods or commands provided to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade the Kiro IDE to version 0.11 or later.

No workarounds are available for this issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10591. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart