CVE-2026-10591

HIGH

8.8CVSS v3

—CVSS v2

0.08% EPSS (exploit probability)

CWE-732CWE

Description

Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open.

To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected routers (0)

No routers currently mapped to this CVE in our database.

External references

NIST NVD
MITRE CVE