Kiro IDE 0.11.133 fixes insecure token cache permissions (CVE-2026-11931)
CVE-2026-11931 Published on June 15, 2026

Insecure Permissions on Authentication Token Cache File in Kiro IDE
Incorrect default permissions in Kiro IDE on macOS and Linux before version 0.11.133 could expose the authentication token cache file to other local users or processes via world-readable permissions (0644) instead of owner-restricted permissions (0600). To remediate this issue, users should upgrade to Kiro IDE version 0.11.133 or later. After upgrading and restarting the application, the cache file permissions are automatically updated on the next token refresh. Users operating in a multi-user environment can invalidate existing tokens by reauthenticating.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-11931 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.


Products Associated with CVE-2026-11931

stack.watch emails you whenever new vulnerabilities are published in Aws Kiro Ide or Amazon Aws. Just hit a watch button to start following.

Aws Kiro Ide
 
Amazon Aws
 

Affected Versions

AWS Kiro IDE: