CVE-2026-10591— Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths
Possible ATT&CK Techniques 3AI
T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing Application T1547.001 · Registry Run Keys / Startup FolderGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-10591
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths
Source: NVD (National Vulnerability Database)
Vulnerability Description
Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
关键资源的不正确权限授予
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-10591
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-10591
请登录查看更多情报信息。
Vendor Pages for CVE-2026-10591 (1)
Other References for CVE-2026-10591 (1)
IV. Related Vulnerabilities
Same vendor: AWS
- CVE-2026-10584
HTTPS Fallback to HTTP in Graph Explorer - CVE-2026-9291
Insecure Deserialization in Amazon Braket SDK Job Results Pr - CVE-2026-9255
Tool Execution Without Authorization via Piped Stdin in Kiro - CVE-2026-9133
Arbitrary file read in rabbitmq-aws plugin - CVE-2026-8838
Remote Code Execution via eval() Injection in amazon-redshif
Same weakness: CWE-732
- CVE-2021-4481
Dräger Protector Software Local Privilege Escalation via Ins - CVE-2021-4480
Dräger Protector Software Local Privilege Escalation via Ins - CVE-2026-27788
ServerView Agents Windows V11.60.04及以前版本权限配置错误漏洞 - CVE-2026-9508
Incorrect Permission Assignment for Critical Resource vulner - CVE-2026-7480
ASUS System Control Interface 安全漏洞
V. Comments for CVE-2026-10591
No comments yet