CVE-2026-0830

Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the latest version.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://aws.amazon.com/security/security-bulletins/2026-001-AWS/	Vendor Advisory
https://kiro.dev/changelog/spec-correctness-and-cli/	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:kiro_ide:*:*:*:*:*:*:*:*

History

28 Apr 2026, 17:41

Type	Values Removed	Values Added
References	~~() https://aws.amazon.com/security/security-bulletins/2026-001-AWS/ -~~	() https://aws.amazon.com/security/security-bulletins/2026-001-AWS/ - Vendor Advisory
References	~~() https://kiro.dev/changelog/spec-correctness-and-cli/ -~~	() https://kiro.dev/changelog/spec-correctness-and-cli/ - Release Notes
CPE		cpe:2.3:a:amazon:kiro_ide::::::::
First Time		Amazon Amazon kiro Ide

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El procesamiento de nombres de carpetas de espacio de trabajo especialmente diseñados podría permitir la inyección de comandos arbitraria en el asistente de solicitudes de fusión de Kiro GitLab en Kiro IDE antes de la versión 0.6.18 al abrir espacios de trabajo maliciosamente diseñados. Para mitigar, los usuarios deberían actualizar a la última versión.

09 Jan 2026, 22:16

Type	Values Removed	Values Added
Summary	(en) Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to version 0.6.18.	(en) Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the latest version.

09 Jan 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-09 21:16

Updated : 2026-04-28 17:41

NVD link : CVE-2026-0830

Mitre link : CVE-2026-0830

CVE.ORG link : CVE-2026-0830

JSON object : View

Products Affected

amazon

kiro_ide

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

7.8 /10