Kiro IDE Remote Code Execution via Trust Boundary Bypass pre 0.8.0
CVE-2026-4295 Published on March 17, 2026

Arbitrary code execution via crafted project files in Kiro IDE
Improper trust boundary enforcement in Kiro IDE before version 0.8.0 on all supported platforms might allow a remote unauthenticated threat actor to execute arbitrary code via maliciously crafted project directory files that bypass workspace trust protections when a local user opens the directory. To remediate this issue, users should upgrade to version 0.8.0 or higher.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-4295 can be exploited with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:

LOCAL

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Weakness Type

Inclusion of Functionality from Untrusted Control Sphere

The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Products Associated with CVE-2026-4295

Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.

Amazon Aws

Affected Versions

AWS Kiro IDE:

Version 0.1.0 and below 0.8.0 is affected.

Kiro IDE Remote Code Execution via Trust Boundary Bypass pre 0.8.0CVE-2026-4295 Published on March 17, 2026

Vulnerability Analysis

Weakness Type

Inclusion of Functionality from Untrusted Control Sphere

Products Associated with CVE-2026-4295

Affected Versions

Kiro IDE Remote Code Execution via Trust Boundary Bypass pre 0.8.0
CVE-2026-4295 Published on March 17, 2026