CVE-2026-4295

HIGH 7.8

Arbitrary code execution via crafted project files in Kiro IDE

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

0th

Improper trust boundary enforcement in Kiro IDE before version 0.8.0 on all supported platforms might allow a remote unauthenticated threat actor to execute arbitrary code via maliciously crafted project directory files that bypass workspace trust protections when a local user opens the directory. To remediate this issue, users should upgrade to version 0.8.0 or higher.

CWE	CWE-829
Vendor	aws
Product	kiro ide
Published	Mar 17, 2026
Last Updated	Mar 18, 2026

Stay Ahead of the Next One

Get instant alerts for aws kiro ide

Be the first to know when new high vulnerabilities affecting aws kiro ide are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

AWS / Kiro IDE

0.1.0 < 0.8.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

aws.amazon.com: https://aws.amazon.com/security/security-bulletins/2026-009-AWS/ kiro.dev: https://kiro.dev/changelog/ide/0-8/