Impact
The vulnerability involves the use of world‑readable file permissions (0644) for the authentication token cache file in Kiro IDE on macOS and Linux. This allows any local user to read the file, which contains tokens intended to be protected for the token holder only. The resulting breach of confidentiality could enable an attacker to impersonate the IDE user and potentially access internal resources. The weakness is a permissions error (CWE‑276).
Affected Systems
AWS Kiro IDE on macOS and Linux, versions prior to 0.11.133.
Risk and Exploitability
The CVSS score of 6.8 signifies a moderate impact. The EPSS score of less than 1% indicates a low likelihood of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires local file‑system access, common in shared or multi‑user environments. An attacker with such access can read the token cache and use the credentials for unauthorized actions.
OpenCVE Enrichment