Skip to main content

CVE-2026-48034

HIGH
Improper Access Control (CWE-284)
2026-06-10 https://github.com/kerberosmansour/hulumi GHSA-9vc9-4jv3-rf86
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 10, 2026 - 14:17 vuln.today
Analysis Generated
Jun 10, 2026 - 14:17 vuln.today

DescriptionCVE.org

Affected: @hulumi/policies < 1.4.0 - Fixed in: 1.4.0 - Severity: High - CWE-284 (Improper Access Control)

Summary

HULUMI-H1 forbids raw aws:s3:Bucket outside of Hulumi's SecureBucket component, with one exemption: a raw bucket that's a child of a SecureBucket is allowed because the component is responsible for the hardening. HULUMI-H5 is the defence-in-depth check that closes the H1 exemption - for any raw bucket claiming it, H5 verifies the five hardening sibling resources a real SecureBucket always emits (public-access block, SSE-KMS, ownership controls, versioning, TLS-only bucket policy) are actually present.

The bug: H5 only checked the siblings' _types_. It never verified that those siblings actually applied to the bucket being exempted. A consumer (or compromised PR) could pair an unhardened raw bucket with five hardening sibling resources whose bucket property pointed at a _completely different_ bucket, and H5 would report no violation while the actual bucket shipped with zero hardened defaults.

Impact

Consumers using HulumiHardeningPack could ship a raw S3 bucket with no public-access block, no SSE-KMS, no ownership controls, no versioning, and no TLS-only bucket policy - while the policy pack reported the stack as compliant.

Patches

Upgrade to @hulumi/policies@1.4.0. The H5 sibling check now requires both (a) the sibling to share the same parent SecureBucket instance via the anchored URN helper from GHSA-2, AND (b) the sibling's bucket property - or, for the bucket policy, its Resource ARN list - to reference the exempted bucket explicitly. Five decoy siblings pointing at a different bucket no longer count.

Workarounds

None - the exemption itself is the mechanism, so the value-binding check is the only fix.

Resources
  • PR #178 (Cluster B); decoy-sibling regression cases in packages/policies/tests/hulumi-hardening-pack.test.ts. Supersedes PR #175, which had addressed the value-binding half but on a stale base.

AnalysisAI

Policy bypass in @hulumi/policies versions prior to 1.4.0 allows an unhardened raw AWS S3 bucket to pass the HULUMI-H5 defence-in-depth check by pairing it with five decoy sibling hardening resources that reference a different bucket. Consumers of HulumiHardeningPack can ship S3 buckets with no public-access block, no SSE-KMS encryption, no ownership controls, no versioning, and no TLS-only bucket policy while the policy pack reports the stack as compliant. No public exploit identified at time of analysis, though the upstream fix and regression tests publicly document the bypass technique.

Share

CVE-2026-48034 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy