CVE-2026-10591: CWE-732: Incorrect Permission Assignment for Critical Resource in AWS Kiro IDE
Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-10591 (CWE-732) affects the AWS Kiro IDE file write tool before version 0.11. Due to insufficient access control restrictions, remote unauthenticated attackers can craft instructions that write to execution-sensitive files like .vscode/tasks.json. This can lead to arbitrary command execution triggered automatically upon folder opening. The CVSS 3.1 score is 8.8, reflecting high impact on confidentiality, integrity, and availability. AWS has addressed this vulnerability in Kiro IDE version 0.11 and manages remediation for this cloud-hosted service.
Potential Impact
Successful exploitation allows remote unauthenticated actors to execute arbitrary commands within the AWS Kiro IDE environment by writing to critical execution-sensitive files. This can compromise confidentiality, integrity, and availability of the affected system. The high CVSS score (8.8) indicates a significant security risk if exploited. No known active exploits have been reported.
Mitigation Recommendations
AWS has released Kiro IDE version 0.11 which fixes this vulnerability. As Kiro IDE is a cloud service, AWS manages the remediation server-side. Users should ensure they are using version 0.11 or later. Refer to the official AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-037-aws/ for the latest remediation guidance.
CVE-2026-10591: CWE-732: Incorrect Permission Assignment for Critical Resource in AWS Kiro IDE
Description
Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.
CVSS v3.1
Score 8.8high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2026-10591 (CWE-732) affects the AWS Kiro IDE file write tool before version 0.11. Due to insufficient access control restrictions, remote unauthenticated attackers can craft instructions that write to execution-sensitive files like .vscode/tasks.json. This can lead to arbitrary command execution triggered automatically upon folder opening. The CVSS 3.1 score is 8.8, reflecting high impact on confidentiality, integrity, and availability. AWS has addressed this vulnerability in Kiro IDE version 0.11 and manages remediation for this cloud-hosted service.
Potential Impact
Successful exploitation allows remote unauthenticated actors to execute arbitrary commands within the AWS Kiro IDE environment by writing to critical execution-sensitive files. This can compromise confidentiality, integrity, and availability of the affected system. The high CVSS score (8.8) indicates a significant security risk if exploited. No known active exploits have been reported.
Mitigation Recommendations
AWS has released Kiro IDE version 0.11 which fixes this vulnerability. As Kiro IDE is a cloud service, AWS manages the remediation server-side. Users should ensure they are using version 0.11 or later. Refer to the official AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-037-aws/ for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- AMZN
- Date Reserved
- 2026-06-01T20:46:32.966Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
- Vendor Advisory Urls
- [{"url":"https://aws.amazon.com/security/security-bulletins/2026-037-aws/","vendor":"AWS"}]
Threat ID: 6a1efb62e29bf47b50db3482
Added to database: 6/2/2026, 3:48:50 PM
Last enriched: 6/2/2026, 4:18:33 PM
Last updated: 6/3/2026, 4:52:43 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.