Bulletin ID: 2026-009-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 03/17/2026 12:15 PM PDT
 

Description:

Kiro is an AI-powered IDE for agentic software development. We identified CVE-2026-4295, where improper trust boundary enforcement allowed arbitrary code execution when a user opened a maliciously crafted project directory.

Impacted versions: < 0.8.0

Resolution:

This issue has been addressed in Kiro IDE version 0.8.0. The latest version is available here.

Workarounds:

Users who cannot immediately upgrade should avoid opening untrusted project directories in Kiro IDE.

References:

• CVE-2026-4295
• Latest version of Kiro IDE

Please email aws-security@amazon.com with any security questions or concerns.