Description
Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces.

To mitigate, users should update to the latest version.
Published: 2026-01-09
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Processing specially crafted workspace folder names permits an attacker to inject arbitrary operating system commands when a malicious workspace is opened. The resulting unauthorized command execution can compromise the integrity and confidentiality of the system hosting the Kiro IDE, allowing the attacker to execute any code with the permissions of the running process.

Affected Systems

AWS Kiro IDE versions prior to 0.6.18 are vulnerable. Users of any earlier version that interacts with GitLab Merge-Request helper and opens workspaces may be exposed through maliciously named folders.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity, reflecting the potential for full system compromise. The EPSS score of less than 1% suggests that, at the time of analysis, the likelihood of exploitation is low, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack would require an adversary to supply or lure a user into opening a crafted workspace, making the vector social engineering or supply chain dependent. Given the high severity and the low exploitation probability, organizations should prioritize mitigation but can monitor for attacks if delaying patching.

Generated by OpenCVE AI on April 18, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AWS Kiro IDE to version 0.6.18 or newer to remove the vulnerable command processing logic.
  • If immediate upgrade is not possible, avoid opening or executing workspaces that originate from untrusted sources until a patch is applied.
  • Implement input validation or sanitization for workspace folder names in your deployment pipeline to prevent injected command strings from reaching the helper process.

Generated by OpenCVE AI on April 18, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Amazon kiro Ide
CPEs cpe:2.3:a:amazon:kiro_ide:*:*:*:*:*:*:*:*
Vendors & Products Amazon kiro Ide

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Amazon
Amazon aws Kiro Ide
Vendors & Products Amazon
Amazon aws Kiro Ide

Fri, 09 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to version 0.6.18. Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the latest version.

Fri, 09 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Description Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to version 0.6.18.
Title Command Injection in Kiro GitLab Merge Request Helper
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Amazon Aws Kiro Ide Kiro Ide
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-01-09T21:18:53.768Z

Reserved: 2026-01-09T20:29:46.407Z

Link: CVE-2026-0830

cve-icon Vulnrichment

Updated: 2026-01-09T21:18:49.421Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-09T21:16:14.127

Modified: 2026-04-28T17:41:17.557

Link: CVE-2026-0830

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:30:36Z

Weaknesses