EUVD-2026-36791
GHSA-vjw4-v5gx-3v45
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack against a shared filesystem file; low-privilege local user sufficient; high confidentiality from token exposure; no integrity or availability impact applies.
Primary rating from Vendor (AMZN).
CVSS VectorVendor: AMZN
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Incorrect default permissions in Kiro IDE on macOS and Linux before version 0.11.133 could expose the authentication token cache file to other local users or processes via world-readable permissions (0644) instead of owner-restricted permissions (0600).
To remediate this issue, users should upgrade to Kiro IDE version 0.11.133 or later. After upgrading and restarting the application, the cache file permissions are automatically updated on the next token refresh. Users operating in a multi-user environment can invalidate existing tokens by reauthenticating.
AnalysisAI
Authentication token cache file exposure in Kiro IDE on macOS and Linux allows any local user to read credentials belonging to other users due to world-readable file permissions (0644) instead of the security-appropriate owner-only permissions (0600). All versions before 0.11.133 are affected on UNIX-based platforms; the vulnerability is confirmed by AWS via security bulletin 2026-045 and has been assigned CWE-276 (Incorrect Default Permissions). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker have local authenticated access to the same macOS or Linux system as a victim user who has Kiro IDE installed, has authenticated (creating the token cache file), and is running a version prior to 0.11.133 or has not yet completed a post-upgrade token refresh. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.8 (Medium) accurately captures the threat model: exploitation is local-only (AV:L), requires low privilege (PR:L), and has no complexity barrier (AC:L, AT:N), but is limited to shared multi-user environments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged user on a shared Linux development server locates the Kiro IDE token cache file in another user's home directory and reads it directly using standard shell commands, since the 0644 permissions impose no access barrier. The attacker extracts the authentication token from the file and uses it to authenticate to AWS services or other downstream APIs that Kiro IDE is configured to access, impersonating the victim without triggering any authentication event. … |
| Remediation | Vendor-released patch: Kiro IDE version 0.11.133. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today