PT-2026-42816 · Kiro Cli · Kiro Cli
Published
2026-05-22
·
Updated
2026-06-09
·
CVE-2026-9255
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Kiro CLI versions prior to 1.28.0
Description
Missing input source validation in the tool authorization prompt allows a local attacker to execute arbitrary tools, including shell commands, without user approval. This is achieved by crafting content that is piped to
kiro-cli via stdin (standard input, a data stream used by programs to receive text input).Recommendations
Upgrade to version 1.28.0 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kiro Cli