Skip to main content

Kiro CLI EUVDEUVD-2026-31471

| CVE-2026-9255 HIGH
Missing Authorization (CWE-862)
2026-05-22 AMZN GHSA-cv6r-hx5v-c4m6
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 04, 2026 - 15:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 04, 2026 - 15:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 04, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
Jun 04, 2026 - 15:22 NVD
7.8 (HIGH) 8.4 (HIGH)
Patch available
May 26, 2026 - 14:16 EUVD
Analysis Generated
May 22, 2026 - 17:46 vuln.today

DescriptionCVE.org

Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin.

We recommend you to upgrade to kiro-cli version 1.28.0 or later.

AnalysisAI

Authorization bypass in AWS Kiro CLI versions prior to 1.28.0 allows a local attacker to invoke arbitrary tools, including shell commands, without triggering the user approval prompt by piping crafted content through stdin. Reported by Amazon (AMZN) and tagged as an Authentication Bypass, this issue has a vendor-released fix in 1.28.0; publicly available exploit code exists is not indicated, and the SSVC framework currently records no observed exploitation despite a Total technical impact rating.

Technical ContextAI

Kiro CLI is AWS's command-line agentic AI tool that requires user authorization before executing privileged actions such as shell tool calls. The root cause is CWE-862 (Missing Authorization), specifically a failure to validate the source of input feeding the tool-authorization prompt: when content arrives via stdin pipe, the CLI treats piped data as a legitimate confirmation signal rather than enforcing interactive user approval. The CPE cpe:2.3:a:aws:kiro_cli:*:*:*:*:*:*:*:* covers all builds prior to the fixed 1.28.0 release, and the EUVD entry confirms the affected range as 'Kiro CLI 0 <1.28.0'.

RemediationAI

Vendor-released patch: Kiro CLI 1.28.0 - upgrade immediately per the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-035-aws/ and the release notes at https://kiro.dev/changelog/cli/1-28/. Until the upgrade can be deployed, avoid piping any untrusted or attacker-influenceable content into kiro-cli via stdin (for example, do not run patterns like 'curl <url> | kiro-cli' or feed it the output of files or commands sourced from untrusted repositories, emails, or chat messages); instead, invoke kiro-cli interactively so the authorization prompt is rendered to a real TTY. On shared developer workstations, restrict write access to scripts and dotfiles that may invoke kiro-cli, and consider wrapping the binary with a shell alias that rejects non-TTY stdin until patched - the trade-off is breaking any legitimate scripted workflows that intentionally feed kiro-cli through pipes.

Share

EUVD-2026-31471 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy