CVE-2026-9255

HIGH NVD

CVSS Score 7.8

Severity HIGH

Published May 22, 2026

Vendor unknown

Description

Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin. We recommend you to upgrade to kiro-cli version 1.28.0 or later.

References

https://aws.amazon.com/security/security-bulletins/2026-035-aws/
https://kiro.dev/changelog/cli/1-28/