What is 2026-037-AWS?

2026-037-AWS is a security advisory published by AWS Security Bulletins. CVE-2026-10591 - Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths

Which CVE IDs does 2026-037-AWS cover?

2026-037-AWS covers the following CVE IDs: CVE-2026-10591. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

2026-037-AWS

CVE-2026-10591 - Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths

Vendor

AWS Security Bulletins

Published

June 2, 2026

Last Modified

—

🔗 CVE IDs covered (1)

CVE-2026-10591 →

📋 Description

Bulletin ID: 2026-037-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/02/2026 08:45 AM PDT Description: Kiro is an agentic IDE users install on their desktop. We identified CVE-2026-10591. Insufficient access control restrictions in the file write tool in Kiro IDE prior to version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. Impacted versions:
Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

🔗 References (1)

advisoryhttps://aws.amazon.com/security/security-bulletins/rss/2026-037-aws/