Introduction
A crafted color theme name in a shared workspace is not the kind of attack vector most developers would think twice about, but in Kiro IDE versions prior to 0.8.140, that is exactly the entry point for arbitrary code execution. The flaw, tracked as CVE-2026-5429 with a CVSS score of 7.8, turns the IDE's Agent webview into an execution surface when a user opens and trusts a poisoned workspace.
Kiro IDE is an agentic development environment from AWS designed to help developers ship engineering work using integrated AI agents. The platform's 0.8 release cycle introduced features like built in code intelligence for 18 languages, custom diff tools, and remote authentication. As an AI powered IDE gaining traction in the developer tooling space, vulnerabilities in Kiro's trust boundaries carry implications for any organization adopting agentic development workflows.
Technical Information
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), placing it in the cross site scripting (XSS) family. The specific attack surface is the Kiro Agent webview, an embedded browser component within the IDE that renders agent driven UI elements.
Root Cause
Workspace color theme names were passed directly into the Agent webview's page generation pipeline without proper sanitization. Because these theme names originate from workspace configuration files (which are user controlled), an attacker could embed script payloads within the theme name string. When the webview rendered the page, the unsanitized string would break out of its intended data context and be interpreted as executable code.
Attack Flow
The exploitation follows a clear sequence:
- Workspace Preparation: The attacker creates a workspace containing a color theme name with an embedded script payload.
- Delivery: The malicious workspace is delivered to the target through any file sharing mechanism: a Git repository, a shared project template, a zip archive, or similar.
- Workspace Opening: The victim opens the workspace in a vulnerable version of Kiro IDE (any version prior to 0.8.140).
- Trust Prompt: Kiro IDE presents a workspace trust dialog, asking the user whether to trust the environment.
- Trust Acceptance: If the user accepts, the workspace configuration is loaded, and the unsanitized color theme name is injected into the Agent webview.
- Code Execution: The payload executes as arbitrary code within the webview context.
The workspace trust prompt serves as the sole human control point in this chain. While this user interaction requirement is a meaningful gate, it provides limited practical protection. Developers routinely trust workspaces from colleagues, open source repositories, and shared project templates. Social engineering this step is straightforward in most organizational contexts.
It is worth noting that the attacker does not need to be authenticated to any service. The entire attack is delivered through the workspace artifact itself, making this a remote, unauthenticated attack vector with a local execution trigger.
Patch Information
Amazon addressed CVE-2026-5429 in Kiro IDE version 0.8.140, released and publicly disclosed on April 2, 2026. The fix was coordinated through AWS Security Bulletin 2026-012-AWS and is referenced in the vendor's official changelog at kiro.dev/changelog/ide/0-8/#patch-0-8-140.
The patch remediates the issue by sanitizing theme name inputs before they are injected into the page generation pipeline for the Agent webview. This ensures that user controlled strings sourced from workspace configuration can no longer break out of their intended data context and be interpreted as executable code.
Because Kiro IDE is a closed source product distributed by AWS, no public commit diff or pull request is available to inspect the exact code change. The fix is delivered as a binary update through Kiro's standard download channels at kiro.dev/downloads. The GitHub repository at github.com/kirodotdev/Kiro serves as a community issue tracker but does not host source code or release artifacts.
AWS credited security researcher Dhiraj Mishra for the coordinated disclosure.
Organizations running any version of Kiro IDE prior to 0.8.140 should upgrade immediately. Any downstream consumers using forked or derivative code that embeds Kiro IDE components must also patch independently to incorporate the fix.
As an interim measure, organizations that cannot patch immediately should instruct developers to deny trust requests for any external or unverified workspaces.
Affected Systems and Versions
| Component | Vulnerable Versions | Fixed Version |
|---|---|---|
| Kiro IDE | All versions prior to 0.8.140 | 0.8.140 |
| Kiro Agent webview | All versions prior to 0.8.140 | 0.8.140 |
| Forked or derivative code using Kiro components | Any embedding vulnerable Kiro components | Must patch independently |
The vulnerability affects all Kiro IDE installations running versions older than 0.8.140 regardless of operating system or deployment configuration. The only prerequisite is that the Kiro Agent webview is active, which is a default component of the IDE.
Vendor Security History
This is the second security bulletin AWS has issued for Kiro IDE in recent months. The earlier bulletin, 2026-009-AWS, addressed CVE-2026-4295, a separate arbitrary code execution flaw triggered via crafted project files. That vulnerability was fixed in version 0.8.0.
The current CVE-2026-5429 fix in version 0.8.140 is a subsequent patch within the same 0.8.x release line. The pattern of two code execution vulnerabilities in the trust boundary handling within a short timeframe suggests that this area of the codebase is undergoing active security hardening. Both issues share a common theme: user controlled workspace artifacts being processed with insufficient sanitization, leading to code execution when the workspace is trusted.
