Flaw in Amazon's AI dev tool Kiro, CVE-2026-10591: open a folder, run code
Amazon Kiro flaw CVE-2026-10591 (CVSS 8.8): the AI's file-write tool can write to .vscode/tasks.json, auto-running an attacker's command when the folder opens. Prompt injection is the trigger. Update to Kiro 0.11 or later.
Makoto Horikawa
Backend Engineer / AWS / Django
Amazon Kiro flaw CVE-2026-10591 (CVSS 8.8): the AI's file-write tool can write to .vscode/tasks.json, auto-running an attacker's command when the folder opens. Prompt injection is the trigger. Update to Kiro 0.11 or later.
Amazon's AI-powered development tool "Kiro" has a flaw where simply opening a project folder runs commands planted by an attacker (CVE-2026-10591). The CVSS severity is 8.8 out of 10 (High). The cause is that the feature Kiro's AI uses to write files automatically (the file-write tool) lacked enough guardrails, so it could write even to a configuration file that runs automatically. The fix ships in version 0.11.
Kiro is a new kind of "agentic" development tool: you give the AI instructions and it handles everything from writing and editing code to manipulating files. Behind that convenience, this case surfaced a risk specific to such tools — if the AI follows untrusted external information, its own hand can be made to write dangerous files. This article walks through what happens, under what conditions it is dangerous, and what to do now.
The flaw at a glance
First, the key facts. The defining trait is that the attack starts with "getting the AI to read or process untrusted information," followed by the act of opening a folder. It is not exploited one-sidedly over the internet, but the trigger is something developers do without a second thought.
| Item | Detail |
|---|---|
| ID | CVE-2026-10591 |
| Affected | Amazon Kiro IDE before version 0.11 |
| What happens | Opening a folder auto-runs arbitrary commands |
| Type | Incorrect permission assignment (CWE-732) |
| Severity | CVSS 8.8 (High) AV:N/AC:L/PR:N/UI:R |
| Prerequisite | AI processes crafted instructions + user opens the folder |
| Exploitation | None reported at time of writing (not in KEV) |
| Fix | Update to Kiro 0.11 or later |
The reason the CVSS stops at 8.8 rather than a perfect 10.0 is that the attack needs user interaction (UI:R) — specifically, opening a folder. Still, telling the AI "look at this repo" or "use this page as reference" is everyday work, and if that input contains an attacker's plant, the prerequisite is easily met. It was found by the security firm Cymulate and disclosed in coordination with Amazon.
A single line ghost-written by the AI walks off with the developer's keyring
What makes this flaw frightening is that the hand writing the command becomes not the attacker, but the AI assistant the developer trusts and uses. The people who put a price on that are supply-chain attackers planting tricks in popular repositories, targeted groups that lure developers into using the AI under the guise of fake issues or code reviews, and initial-access brokers who use the dev environment as a foothold into the company. What gets carried off is what sleeps on the developer's machine: SSH private keys, cloud connection details, source code, and code-signing keys. Following the planted instruction, the AI rewrites the task configuration file, and the moment the developer next opens the folder, the attacker's command runs with their own privileges.
It does not stop at one step. With the cloud connection details, the attacker enters production or internal systems as a legitimate user. Stolen keys and credentials are resold on the dark web, and the buyer uses them as a foothold to lift source code, poison the build pipeline, and chain into every downstream user of the resulting artifacts. One developer's machine turns into the entrance to the whole company and its customers.
The cleanup falls on the team that adopted the tool, the IT department, and management. If keys or credentials leak, what remains is rotating keys across every affected system, notifying customers, explaining to partners, and lost trust. What never shows in the CVSS number is the new unease that, in exchange for "the convenience of leaving it to the AI," that very AI can become the attacker's ghost-writer. Keeping the tool current and staying mindful of what you let the AI read is what decides the developer's safety now.
What are Kiro and an "agentic AI development tool" in the first place
Kiro is an AI-powered development tool that Amazon (AWS) released in 2025. It embeds a conversational AI into the screen for writing programs (an IDE, an integrated development environment), and its base is the same open source (Code OSS) as Microsoft's "VS Code." It is one of the much-watched "let the AI write code" tools, alongside Cursor and GitHub Copilot.
Kiro's distinguishing feature is being "agentic." Where conventional AI assistance stopped at "offering suggestions," an agentic tool goes as far as actually creating and rewriting files and running commands by itself. The "file-write tool" at issue here is one of the capabilities given to the AI for that purpose. Convenient as it is, if the source of the "instructions" the AI follows is untrustworthy, its hand can be steered by an attacker.
The key here is a configuration file that VS Code-family editors have, .vscode/tasks.json. It is a file where you can write task automation such as "when the folder opens, run this process automatically," normally a mechanism to make development easier. But if an attacker's command is written into this file, it runs automatically the instant the folder is opened.
Inside CVE-2026-10591: the AI's write feature reached an auto-run file
The AWS security bulletin describes the flaw as: "Insufficient access control restrictions in the file write tool in Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open." In short, the write feature given to the AI could reach even the auto-run configuration file it should never touch (CWE-732, incorrect permission assignment for a critical resource).
The attack flow is this. The attacker plants, in a place the developer is likely to have the AI read — a repository file, a document, externally fetched information — an instruction like "write this into tasks.json," in a form not obvious to a human. This is the technique of hijacking the AI's commands, called "prompt injection." The AI obeys and rewrites the auto-run file, and the next time the developer opens that folder, the planted command runs with their own privileges.
The target is Kiro IDE before version 0.11, and the fixed 0.11 and later tightens the restrictions on the write tool. AWS says there is no workaround and urges updating to the latest version. The Kiro changelog also confirms that 0.11 is available.
The recurring "opening a folder is dangerous" hole in Kiro
In fact, this is not the first time Kiro has had an "opening a malicious place is dangerous" flaw. Earlier, CVE-2026-0830, where opening a crafted workspace let a command through, and CVE-2026-4295, where opening a crafted project folder ran arbitrary code, were disclosed and patched in turn. Because agentic tools are designed to "give the AI broad privileges," even a slight misdraw of the permission boundary tends to spawn this kind of hole repeatedly.
The same worry is common to other tools. We have covered the four consecutive RCEs in the editor "Zed," where merely opening a malicious repository seizes the developer's machine. The more AI and automation spread the convenience of "something runs just by opening it," the more weight returns to the basics of not casually opening unknown code or repositories. It is a classic pitfall of an era where AI is used for both attack and defense.
Has it been exploited?
Let us separate what is known from what is not yet confirmed.
✓ Confirmed facts
- ✓Kiro's file-write tool could write to execution-sensitive paths such as
.vscode/tasks.json, auto-running on folder open (AWS bulletin) - ✓Affected is before 0.11; fixed in 0.11 and later. There is no workaround — updating is required (NVD)
- ✓Found by the security firm Cymulate. Kiro has also had similar "opening is dangerous" flaws fixed before
? Not yet confirmed
- ?Any real-world exploitation — at the time of writing it is not in CISA's Known Exploited Vulnerabilities (KEV) catalog, and no public exploit code is confirmed
- ?The concrete crafting needed to exploit it — the primary source stops at the mechanism, and no detailed PoC has been published
Quick check: are you affected?
The risk varies with whether you use Kiro and how. Find your situation in the table below.
| Situation | Risk | Priority | What to do now |
|---|---|---|---|
| Kiro before 0.11, handling external code | Risk of machine takeover | Top (immediate) | Update to 0.11 or later |
| Before 0.11, but only your own code | Prerequisites rarely align | High | Update to 0.11 soon |
| Already on 0.11 or later | Not affected by this flaw | Normal | Confirm auto-update is enabled |
Especially dangerous is opening someone else's repository or externally received code in an old Kiro, or having the AI read it. If your organization distributes Kiro, confirm across the board that every endpoint is on 0.11 or later.
What developers and organizations should check now
The top priority is updating Kiro to 0.11 or later. Since no workaround is provided, updating is the only root fix. If you deploy it across an organization, inspect each developer's version and confirm auto-update is enabled.
As a defense that applies to agentic tools in general, enforce the basics of not casually opening untrusted repositories or code, and not having the AI read them. In an environment where you opened an unfamiliar project, check .vscode/tasks.json for any entries you do not recognize, and if needed, consider rotating the relevant credentials (SSH keys and cloud keys). To keep tracking development-related vulnerabilities, see supply-chain attacks targeting dev tools and our roundup of major 2026 H1 vulnerabilities.
FAQ
Q. Will I get taken over remotely just by having Kiro installed?
A. No. Exploitation requires getting the AI to process an attacker's planted instruction, followed by the user action of opening a folder. That said, having the AI read someone else's repository or external information is everyday work, so handling unknown code in an old version is dangerous.
Q. Which version should I update to?
A. Kiro IDE 0.11 or later is the fixed version. Since no workaround is provided, updating to the latest is mandatory. If auto-update is on it should already be current, but check the version to be sure.
Q. What is tasks.json, and why is it dangerous?
A. It is a configuration file in VS Code-family editors for automating work. Because it can hold a "run automatically when the folder opens" setting, if an attacker's command is written into it, that command runs the instant the folder is opened.
Q. How is Kiro different from VS Code or Cursor?
A. Kiro is Amazon's AI-powered development tool, built on the same open source as VS Code. Its distinguishing emphasis is being "agentic," where the AI itself performs file operations and command execution — and that broad privilege is the backdrop of this flaw.
Summary
CVE-2026-10591, found in Amazon's AI development tool Kiro, is a flaw where the file-write feature given to the AI could write even to the auto-run configuration file .vscode/tasks.json. The AI ghost-writes the attacker's instruction, and the moment the developer opens the folder, the command runs with their own privileges. The CVSS is 8.8, and the attack needs "getting the AI to process crafted information" and "opening a folder" — both easily met in everyday work. The fix is simple: update Kiro to 0.11 or later. Alongside that, enforce the basics of not casually having the AI read, or opening, untrusted code. Worth remembering: because agentic tools hand the AI broad privileges, this kind of hole tends to recur.