CVE-2026-48032

HIGHPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: 0%CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers

Affected: @hulumi/policies < 1.4.0Fixed in: 1.4.0Severity: High — CWE-697 (Incorrect Comparison)

Summary

AWS IAM trust policies can list more than one federated identity provider — for example, a role that accepts BOTH GitHub Actions OIDC and Google's OIDC. The G_OIDC_1 and G_OIDC_2 policy rules are supposed to flag IAM roles whose GitHub-OIDC trust is too permissive (e.g. wildcard sub: conditions that would let any branch or any pull request assume the role).

The bug: when the role's Principal.Federated field was a JSON array of multiple providers, the rules failed to recognise that GitHub Actions was one of them. The providers list was coerced into a single comma-joined string, the matcher only looked at the start, and the GitHub OIDC hostname was lost in the join. Both rules concluded "this isn't a GitHub-OIDC role" and skipped the wildcard check.

Impact

A trust policy that listed the real GitHub OIDC provider ARN alongside any second provider would slip past both detectors. Consumers using HulumiHardeningPack or HulumiGithubHardeningPack could ship an IAM role with wildcard sub: conditions (allowing untrusted PRs from forks to assume the role) while their policy validation reported the stack as compliant. The G_OIDC_2 detector also failed to mark such roles for the cluster-admin / AdministratorAccess blast-radius check.

Patches

Upgrade to @hulumi/[email protected]. The shared GitHub-OIDC-provider matcher now correctly walks lists of providers — if any element of the list is the real GitHub OIDC ARN, the role is treated as GitHub-OIDC-assumable and the wildcard / blast-radius checks apply.

Workarounds

None reliable — upgrade is the fix.

Resources

  • PR #178 (Cluster A); regression tests at packages/policies/tests/github/{g-oidc-2,github-oidc-issuer}.test.ts.

CVSS v3
EG Score
0.0(none)
EPSS
12.5%
KEV
Not listed

Published

June 10, 2026

Last Modified

June 10, 2026

Vendor Advisories for CVE-2026-48032(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
npm(1)
PackageVulnerable rangeFixed inDependents
@hulumi/policies1.4.0

Data Freshness Timeline

(refreshed 0× in last 7d / 5× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-14 23:18 UTCEPSS rescore
  2. 2026-06-13 23:00 UTCEPSS rescore
  3. 2026-06-13 13:15 UTCEG score recompute
  4. 2026-06-12 23:12 UTCEPSS rescore
  5. 2026-06-10 14:18 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-48032?
CVE-2026-48032 is a high vulnerability published on June 10, 2026. @hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers Affected: @hulumi/policies < 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-697 (Incorrect Comparison) Summary AWS IAM trust policies can list more than one federated identity provider — for example, a…
When was CVE-2026-48032 disclosed?
CVE-2026-48032 was first published in the National Vulnerability Database on June 10, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-48032 actively exploited?
CVE-2026-48032 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 12.5% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
How do I remediate CVE-2026-48032?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48032, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-48032

Explore →

Is Your Infrastructure Affected by CVE-2026-48032?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.