CVE-2026-4295 HIGH

CVE-2026-4295: Arbitrary code execution via crafted project files in Kiro IDE

Vendor Aws
Product Kiro IDE
Weakness CWE-829 · Inclusion from untrusted sphere
Published March 17, 2026
Last update March 18, 2026

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper trust boundary enforcement in Kiro IDE before version 0.8.0 on all supported platforms might allow a remote unauthenticated threat actor to execute arbitrary code via maliciously crafted project directory files that bypass workspace trust protections when a local user opens the directory. To remediate this issue, users should upgrade to version 0.8.0 or higher.

Key dates

02Disclosure timeline

March 17, 2026 CVE published
March 18, 2026 Record updated