EXECUTIVE SUMMARY:
Five vulnerabilities have been identified in the hulumi suite of npm packages, specifically hulumi/drift, hulumi/baseline, and hulumi/policies. The issues span logic-handling failures that lead to false-negative drift detection, improper S3 bucket hardening, and policy bypasses that allow unauthenticated resource creation or overly permissive IAM role trusts. Exploiting these flaws can enable attackers to hide malicious changes, delete audit logs, or assume privileged roles without detection, potentially compromising compliance reporting and extending the blast radius of a breach. The combined risk is high for organizations relying on automated compliance and drift monitoring.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Five vulnerabilities have been identified in the hulumi suite of npm packages, specifically hulumi/drift, hulumi/baseline, and hulumi/policies. The issues span logic-handling failures that lead to false-negative drift detection, improper S3 bucket hardening, and policy bypasses that allow unauthenticated resource creation or overly permissive IAM role trusts. Exploiting these flaws can enable attackers to hide malicious changes, delete audit logs, or assume privileged roles without detection, potentially compromising compliance reporting and extending the blast radius of a breach. The combined risk is high for organizations relying on automated compliance and drift monitoring.[emaillocker id="1283"]
CVE-2026-48036 with a CVSS score of 8.4 : The drift classifier ignores adapter failure states, caching a false no drift verdict for up to six hours; an attacker can trigger a transient network error to conceal unauthorized changes, requiring only network access to the Automation API.
CVE-2026-48035 with a CVSS score of 7.1 : The audit‑delivery S3 bucket lacks Object Lock and can be destroyed via a forced‑destroy flag, allowing deletion of CloudTrail and Config logs; exploitation requires the ability to modify or destroy the bucket through Pulumi deployments.
CVE-2026-48034 with a CVSS score of 8.5 : The H5 hardening check validates only sibling resource types, so a raw S3 bucket can be paired with decoy siblings pointing to a different bucket, bypassing required security controls; an attacker needs only to craft resource definitions with misleading logical names.
CVE-2026-48033 with a CVSS score of 8.4 : Policy packs parse Pulumi URNs and mistakenly trust substrings in the developer‑controlled logical name, letting raw resources evade hardening checks; exploitation requires naming a resource to include the trusted token.
CVE-2026-48032 with a CVSS score of 8.3 : IAM role policy validation fails when the role trusts multiple OIDC providers, missing GitHub OIDC detection and allowing wildcard sub claims; an attacker must supply a role that lists GitHub alongside another provider.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-32g3-35g9-wc9g
https://github.com/advisories/GHSA-2mxr-p26x-mj73
https://github.com/advisories/GHSA-9vc9-4jv3-rf86
[/emaillocker]