Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin.
We recommend you to upgrade to kiro-cli version 1.28.0 or later.
AnalysisAI
Authorization bypass in AWS Kiro CLI versions prior to 1.28.0 allows a local attacker to invoke arbitrary tools, including shell commands, without triggering the user approval prompt by piping crafted content through stdin. Reported by Amazon (AMZN) and tagged as an Authentication Bypass, this issue has a vendor-released fix in 1.28.0; publicly available exploit code exists is not indicated, and the SSVC framework currently records no observed exploitation despite a Total technical impact rating.
Technical ContextAI
Kiro CLI is AWS's command-line agentic AI tool that requires user authorization before executing privileged actions such as shell tool calls. The root cause is CWE-862 (Missing Authorization), specifically a failure to validate the source of input feeding the tool-authorization prompt: when content arrives via stdin pipe, the CLI treats piped data as a legitimate confirmation signal rather than enforcing interactive user approval. The CPE cpe:2.3:a:aws:kiro_cli:*:*:*:*:*:*:*:* covers all builds prior to the fixed 1.28.0 release, and the EUVD entry confirms the affected range as 'Kiro CLI 0 <1.28.0'.
RemediationAI
Vendor-released patch: Kiro CLI 1.28.0 - upgrade immediately per the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-035-aws/ and the release notes at https://kiro.dev/changelog/cli/1-28/. Until the upgrade can be deployed, avoid piping any untrusted or attacker-influenceable content into kiro-cli via stdin (for example, do not run patterns like 'curl <url> | kiro-cli' or feed it the output of files or commands sourced from untrusted repositories, emails, or chat messages); instead, invoke kiro-cli interactively so the authorization prompt is rendered to a real TTY. On shared developer workstations, restrict write access to scripts and dotfiles that may invoke kiro-cli, and consider wrapping the binary with a shell alias that rejects non-TTY stdin until patched - the trade-off is breaking any legitimate scripted workflows that intentionally feed kiro-cli through pipes.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31471
GHSA-cv6r-hx5v-c4m6