Description
Improper trust boundary enforcement in Kiro IDE before version 0.8.0 on all supported platforms might allow a remote unauthenticated threat actor to execute arbitrary code via maliciously crafted project directory files that bypass workspace trust protections when a local user opens the directory.



To remediate this issue, users should upgrade to version 0.8.0 or higher.
Published: 2026-03-17
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

The vulnerability arises from improper trust boundary enforcement in Kiro IDE before version 0.8.0. Code running inside the IDE incorrectly accepts partially trusted project directory files, allowing a malicious actor to inject arbitrary code that is executed when a local user opens the directory. This flaw is mapped to CWE-829 and results in Remote Code Execution, potentially compromising confidentiality, integrity, and availability of the host system.

Affected Systems

Affected systems include the AWS‑branded Kiro IDE on all supported platforms, specifically any release older than 0.8.0. The build changelog indicates that the fix was introduced in the 0.8.0 release, meaning all earlier versions are vulnerable regardless of platform.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity with an impact of arbitrary code execution. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. Because the flaw can be triggered by a local user who opens a crafted project directory, an unauthenticated remote attacker can deliver such a directory and cause the affected user to unwittingly execute code. No known exploits have been published yet, but the combination of high severity and an easily exploitable attack vector warrants immediate remediation.

Generated by OpenCVE AI on March 17, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Kiro IDE version 0.8.0 or newer.

Generated by OpenCVE AI on March 17, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Aws
Aws kiro Ide
Vendors & Products Aws
Aws kiro Ide

Tue, 17 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Improper trust boundary enforcement in Kiro IDE before version 0.8.0 on all supported platforms might allow a remote unauthenticated threat actor to execute arbitrary code via maliciously crafted project directory files that bypass workspace trust protections when a local user opens the directory. To remediate this issue, users should upgrade to version 0.8.0 or higher.
Title Arbitrary code execution via crafted project files in Kiro IDE
Weaknesses CWE-829
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Aws Kiro Ide
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-03-18T14:07:58.063Z

Reserved: 2026-03-16T17:38:37.520Z

Link: CVE-2026-4295

cve-icon Vulnrichment

Updated: 2026-03-18T14:07:48.006Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-17T20:16:14.840

Modified: 2026-03-18T14:52:44.227

Link: CVE-2026-4295

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:43Z

Weaknesses