PT-2026-42816 · Kiro Cli · Kiro Cli

Published

2026-05-22

·

Updated

2026-06-09

·

CVE-2026-9255

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Kiro CLI versions prior to 1.28.0
Description Missing input source validation in the tool authorization prompt allows a local attacker to execute arbitrary tools, including shell commands, without user approval. This is achieved by crafting content that is piped to kiro-cli via stdin (standard input, a data stream used by programs to receive text input).
Recommendations Upgrade to version 1.28.0 or later.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9255

Affected Products

Kiro Cli