CVE-2026-48034
HIGHLifecycle Timeline
2DescriptionCVE.org
Affected: @hulumi/policies < 1.4.0 - Fixed in: 1.4.0 - Severity: High - CWE-284 (Improper Access Control)
Summary
HULUMI-H1 forbids raw aws:s3:Bucket outside of Hulumi's SecureBucket component, with one exemption: a raw bucket that's a child of a SecureBucket is allowed because the component is responsible for the hardening. HULUMI-H5 is the defence-in-depth check that closes the H1 exemption - for any raw bucket claiming it, H5 verifies the five hardening sibling resources a real SecureBucket always emits (public-access block, SSE-KMS, ownership controls, versioning, TLS-only bucket policy) are actually present.
The bug: H5 only checked the siblings' _types_. It never verified that those siblings actually applied to the bucket being exempted. A consumer (or compromised PR) could pair an unhardened raw bucket with five hardening sibling resources whose bucket property pointed at a _completely different_ bucket, and H5 would report no violation while the actual bucket shipped with zero hardened defaults.
Impact
Consumers using HulumiHardeningPack could ship a raw S3 bucket with no public-access block, no SSE-KMS, no ownership controls, no versioning, and no TLS-only bucket policy - while the policy pack reported the stack as compliant.
Patches
Upgrade to @hulumi/policies@1.4.0. The H5 sibling check now requires both (a) the sibling to share the same parent SecureBucket instance via the anchored URN helper from GHSA-2, AND (b) the sibling's bucket property - or, for the bucket policy, its Resource ARN list - to reference the exempted bucket explicitly. Five decoy siblings pointing at a different bucket no longer count.
Workarounds
None - the exemption itself is the mechanism, so the value-binding check is the only fix.
Resources
AnalysisAI
Policy bypass in @hulumi/policies versions prior to 1.4.0 allows an unhardened raw AWS S3 bucket to pass the HULUMI-H5 defence-in-depth check by pairing it with five decoy sibling hardening resources that reference a different bucket. Consumers of HulumiHardeningPack can ship S3 buckets with no public-access block, no SSE-KMS encryption, no ownership controls, no versioning, and no TLS-only bucket policy while the policy pack reports the stack as compliant. No public exploit identified at time of analysis, though the upstream fix and regression tests publicly document the bypass technique.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9vc9-4jv3-rf86