anonhaven
Ad

CVE-2026-4295

HIGH CVSS 4.0: 8.5 EPSS 0.02%
Updated Mar 18, 2026
Improper
Parameter Value
CVSS 8.5 (HIGH)
Affected Versions before 0.8.0
Fixed In 0.8.0
Type CWE-829 (Inclusion of Functionality from Untrusted Source)
Vendor Improper
Public PoC No

Improper trust boundary enforcement in Kiro IDE before version 0.8.0 on all supported platforms might allow a remote unauthenticated threat actor to execute arbitrary code via maliciously crafted project directory files that bypass workspace trust protections when a local user opens the directory. To remediate this issue, users should upgrade to version 0.8.0 or higher.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
Passive
Minimal interaction

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-829 Inclusion of Functionality from Untrusted Source

References 2

https://aws.amazon.com/security/security-bulletins/2026-009-AWS/
ff89ba41-3aa1-4d27-914a-91399e9639e5
https://kiro.dev/changelog/ide/0-8/
ff89ba41-3aa1-4d27-914a-91399e9639e5
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-4396

Improper

8.1

CVE-2026-3563

Ironmansoftware

5.5

CVE-2026-21004

Improper

6.9

CVE-2026-21002

Improper

5.9

CVE-2026-21000

Improper

7.0