CVE-2026-11931
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
Kiro IDE on macOS and Linux before version 0.11.133 has incorrect default permissions that could expose the authentication token cache file to other local users or processes. The file permissions are set to 0644 instead of 0600.
Risk Assessment
Organizations may be exposed to unauthorized access to authentication tokens, potentially leading to security breaches and data loss.
Recommendation
It is recommended to upgrade Kiro IDE to version 0.11.133 or later. After upgrading and restarting the application, the cache file permissions will be automatically updated.
Original NVD description (English source)
Incorrect default permissions in Kiro IDE on macOS and Linux before version 0.11.133 could expose the authentication token cache file to other local users or processes via world-readable permissions (0644) instead of owner-restricted permissions (0600). To remediate this issue, users should upgrade to Kiro IDE version 0.11.133 or later. After upgrading and restarting the application, the cache file permissions are automatically updated on the next token refresh. Users operating in a multi-user environment can invalidate existing tokens by reauthenticating.

