Trust the Workspace, Own the Developer - Kiro's GitLab Merge Request helper passes workspace paths to child_process.exec without quoting, turning folder names into shell commands. This issue has been addressed and fixed in version 0.6.18 and CVE-2026-0830 was assigned from AWS.

Summary

Opening a repository whose path contains shell meta-characters causes execution arbitrary shell commands. The helper builds commands such as cd ${workspace}; git branch --show-current using untrusted workspace paths and passes them to child_process.exec because the path is unquoted, the payload embedded in this folder name runs with the user's privilege.

Proof-of-concept

  • Download and unzip the PoC repo (video attached) so the folder name remains kiro_gitlab_calc;open /System/Applications/Calculator.app.
open -a Kiro "/path/to/kiro_gitlab_calc;open /System/Applications/Calculator.app"
  • Trust the workspace.
  • In chat type#, select Gitlab Merge Request, send any prompt (e.g., "Summarize open merge requests", or "Hello").
  • Calculator launches immediately, demonstrating arbitrary command execution triggered just by opening the repository.

Root-cause

In /Applications/Kiro.app/Contents/Resources/app/extensions/kiro.kiro-agent/dist/extension.js:502409-502410 the helper getSubprocess resolves the workspace path and returns:

command => extras.ide.subprocess(`cd ${workingDir}; ${command}`)

Hence, extras.ide.subprocess eventually calls child_process.exec, so any shell meta-characters in ${workingDir} are executed before git runs.

Impact

An attacker-controlled repository can run arbitrary commands on the developer's machine simply by being opened in Kiro and triggering the GitLab MR helper (which can happen automatically via .continuerc.json).

Responsible Disclosure

This was reported to AWS via HackerOne (October 22, 2025, 8:15am UTC). AWS team fixed it with the below changelog.

0.6.18: Bug fixes and improvements to multi root workspace support when creating new files. Added improvements to intent detection when working with multiple sessions. Fixed a security issue in GitLab integration that could allow command injection through workspace paths.

None
https://aws.amazon.com/security/security-bulletins/2026-001-AWS/

Current Fix

The fix involves a few basic changes, instead of constructing shell strings like ${workingDir} / ${command} use's a non-shell execution API and pass the working directory via cwd(current working directory).

Stay Safe

AI tools are cool but such tools run on your machine with your privileges. The bug I found lets an attacker execute arbitrary commands just by getting you to open a malicious repository & performing authorized actions. Hence, be careful on what you install/open.