CVE-2026-11931

Vulnerability

In Kiro IDE on macOS and Linux, the authentication token cache file was created with world-readable permissions (0644) instead of owner-restricted permissions (0600) [2]. This affects Kiro IDE versions before 0.11.133 [1]. The cache file stores authentication tokens for AWS services, and the incorrect default permissions expose the file to any local user or process.

Exploitation

An attacker with local access to the system—either as a different user or through a malicious process—can directly read the token cache file without requiring any additional authentication or privileges [2]. The file is stored at a predictable path, making it easy to locate. No user interaction is needed beyond the victim having used Kiro IDE and generated a token cache.

Impact

Successful exploitation allows the attacker to retrieve cached authentication tokens [2]. These tokens can be used to impersonate the victim, gaining access to the victim's AWS accounts and resources configured in Kiro IDE [2]. This could lead to unauthorized data access, modification, or further lateral movement within the environment.

Mitigation

Users should upgrade to Kiro IDE version 0.11.133 or later [1]. After upgrading and restarting the application, the permission of the cache file is automatically corrected to 0600 on the next token refresh [2]. Users in multi-user environments can also invalidate existing tokens by reauthenticating to ensure immediate remediation [2]. No other workarounds are available.