CVE-2026-10591

Published: Giu 02, 2026 Last Modified: Giu 02, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,6
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: active
Confidentiality: N/A
Integrity: N/A
Availability: N/A
HIGH 8,8
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high

Description

AI Translation Available

Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open.

To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.

732

Incorrect Permission Assignment for Critical Resource

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Access Control Integrity Other
Potential Impacts:
Read Application Data Read Files Or Directories Gain Privileges Or Assume Identity Modify Application Data Other
Applicable Platforms
Technologies: Not Technology-Specific, Cloud Computing
Likelihood of Exploit: High
View CWE Details
https://aws.amazon.com/security/security-bulletins/2026-037…
https://aws.amazon.com/security/security-bulletins/2026-037-aws/
https://kiro.dev/changelog/ide/0-11/
https://kiro.dev/changelog/ide/0-11/