CVE-2026-10591
Analyzed Analyzed - Analysis Complete
Arbitrary Command Execution in Amazon Kiro IDE

Publication date: 2026-06-02

Last updated on: 2026-06-05

Assigner: AMZN

Description
Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-05
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-10591
EUVD
EUVD-2026-33964
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
amazon kiro_ide to 0.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10591 is a vulnerability in the Amazon Kiro IDE before version 0.11 where insufficient access control restrictions in the file write tool allow remote unauthenticated actors to execute arbitrary commands.

This happens because attackers can craft instructions that write to execution-sensitive paths such as .vscode/tasks.json, which triggers automatic execution when a folder is opened.

The vulnerability enables attackers to run commands remotely without authentication, potentially compromising the system.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution, which can lead to full compromise of the affected system.

  • Attackers can execute arbitrary commands remotely without needing any authentication.
  • It can result in high confidentiality, integrity, and availability impacts as indicated by the CVSS scores.
  • Malicious commands could be executed automatically when a user opens a folder, potentially spreading malware or stealing data.
Detection Guidance

There are no specific detection methods or commands provided to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade the Kiro IDE to version 0.11 or later.

No workarounds are available for this issue.

Compliance Impact

The provided information does not specify how CVE-2026-10591 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10591. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart