A vulnerability in Kiro IDE (AWS’s agentic development environment) on macOS and Linux incorrectly sets the authentication token cache file to world-readable permissions (0644) rather than owner-only (0600). This means other local users or processes on the same machine could read the authentication token, potentially allowing unauthorised access to AWS services or the IDE’s AI capabilities. The issue affects all versions prior to 0.11.133.

Security Architect’s Take: Ensure all developers using Kiro IDE on macOS or Linux update to version 0.11.133 or later immediately. On shared or multi-user systems (including CI/CD build hosts or shared developer VMs), treat any existing token cache files as potentially compromised and rotate associated credentials.

Original advisory: CVE-2026-11931 - Insecure Permissions on Authentication Token Cache File in Kiro IDE