How is CVE-2026-10591 exploited?

Network reachability (required): The attacker delivers crafted instructions over the network to the Kiro IDE instance, so the service must be reachable remotely. Authentication (not-required): No credentials or account are needed; the vulnerability is exploitable by any unauthenticated remote actor. Victim interaction (required): A developer must open the affected folder in Kiro IDE, which triggers auto-execution of the attacker-written task configuration. Attack complexity (info): Exploitation is reliable and condition-free once the crafted file is written; no race conditions or special memory layout are required.

What is the impact of CVE-2026-10591?

Attacker executes arbitrary operating system commands in the context of the developer running Kiro IDE, gaining full access to that user session. Confidential files accessible to the developer (source code, credentials, SSH keys, cloud tokens) are readable by the attacker. The attacker can modify or delete files the developer has write access to, including local repository contents and configuration files. Service availability for the affected developer workstation is fully disrupted if the attacker chooses to run destructive commands.

Back to search

HIGHCVE-2026-10591Published 2026-06-02Modified 2026-06-03CNA AMZN

CVE-2026-10591: Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths

Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: 11
Affected Products: 1

HarborGuard Analysis

Synopsis

Insufficient file write restrictions in Amazon Kiro IDE (versions before 0.11) allow a remote, unauthenticated attacker to write to execution-sensitive paths such as .vscode/tasks.json. Because VS Code-style IDEs auto-execute task configurations on folder open, a crafted instruction that places a malicious tasks.json triggers arbitrary command execution on the developer's machine without further user action beyond opening a folder. A patched-image rebuild at version 0.11 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10591 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Kiro IDE, in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.6 (High) and weighting it against each environment's compliance policy to determine urgency; findings are routable to the team or inbox responsible for developer-tooling images within each customer organization.

Available

Patch

A patched-image rebuild pinned to Kiro IDE 0.11 becomes available on HarborGuard once the upstream fix version is confirmed. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers crafted instructions over the network to the Kiro IDE instance, so the service must be reachable remotely.
AuthenticationNot required
No credentials or account are needed; the vulnerability is exploitable by any unauthenticated remote actor.
Victim interactionRequired
A developer must open the affected folder in Kiro IDE, which triggers auto-execution of the attacker-written task configuration.
Attack complexityDetail
Exploitation is reliable and condition-free once the crafted file is written; no race conditions or special memory layout are required.

Blast Radius

Attacker executes arbitrary operating system commands in the context of the developer running Kiro IDE, gaining full access to that user session.
Confidential files accessible to the developer (source code, credentials, SSH keys, cloud tokens) are readable by the attacker.
The attacker can modify or delete files the developer has write access to, including local repository contents and configuration files.
Service availability for the affected developer workstation is fully disrupted if the attacker chooses to run destructive commands.

How HarborGuard Handles This

Available on HarborGuard: images containing Kiro IDE versions before 0.11 are flagged at CVSS 8.6 (High) as soon as the CVE is ingested, with findings matched against both registry snapshots and live pipeline builds. Where compliance policy permits auto-remediation, HarborGuard can rebuild the affected image at Kiro IDE 0.11, run a regression test suite against the rebuilt image, and open a pull request against the impacted workload, with median time from CVE publication to merged patch PR around 90 minutes for high-severity issues in environments with auto-remediation enabled. For customers who have not enabled auto-remediation, the rebuilt image at 0.11 is available for manual promotion. Until patched images are deployed, compensating controls available through HarborGuard include network-policy rules that restrict outbound connections from developer tooling containers and egress filtering to limit the paths through which crafted instructions can reach an IDE instance.

See how HarborGuard automates this

Fix available

Affected packages

AWS / Kiro IDE
< 11 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available