CVE-2026-48033

HIGHPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: 0%CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name

Affected: @hulumi/policies < 1.4.0Fixed in: 1.4.0Severity: High — CWE-693 (Protection Mechanism Failure)

Summary

Pulumi gives every cloud resource a structured URN that includes the resource's type chain (hulumi:baseline:aws:SecureBucket$aws:s3/bucketV2:BucketV2) and the _logical name_ the developer freely chose (anything after the final ::). Several Hulumi policy rules used the URN to grant exemptions — for example, "if this raw bucket is a child of SecureBucket, skip the raw-bucket rule because the parent component handles hardening."

The bug: the rules looked for a substring like hulumi:baseline:aws:SecureBucket$ _anywhere_ in the URN. That substring can also appear in the developer-controlled logical-name portion. A developer (or compromised PR) could simply name a raw resource so its logical name carried the trusted substring, and every rule that used this check would treat the resource as if it were inside the trusted parent and skip its hardening check.

Codex reported this for DEPLOY_GOV_1; the same anti-pattern existed in five more packs (unreported but identically exploitable): AWS H4/H5 sibling lookups, GitHub H1, GitHub H2, Cloudflare CF_DNS_1, Cloudflare CF_DNSSEC_1, and (advisory-level) CIS v5 §2.1.1 + §2.1.5.

Impact

Consumers using @hulumi/policies could ship raw aws:s3:Bucket, github:Repository, cloudflare:Zone, cloudflare:DnsRecord, and similar resources that bypassed mandatory hardening checks by naming themselves with a trusted substring. Every affected rule appeared to pass while the resource had none of the expected defaults.

Patches

Upgrade to @hulumi/[email protected]. A new shared helper at packages/policies/src/urn.ts parses Pulumi URNs structurally and only looks for the trusted parent-type token inside the URN's type-chain segment — never inside the developer-controlled logical name. All six prior call sites have been migrated to it.

Workarounds

None reliable — a local lint that rejects logical names containing $ would catch the trivial form of the spoof but not crafted variants.

Resources

  • PR #178 (Cluster B); the URN-anchoring refactor and per-pack spoof-vector regression tests in packages/policies/tests/.

CVSS v3
EG Score
0.0(none)
EPSS
16.8%
KEV
Not listed

Published

June 10, 2026

Last Modified

June 10, 2026

Vendor Advisories for CVE-2026-48033(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Frequently asked(4)

What is CVE-2026-48033?
CVE-2026-48033 is a high vulnerability published on June 10, 2026. @hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name Affected: @hulumi/policies < 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-693 (Protection Mechanism Failure) Summary Pulumi gives every cloud resource a structured URN that includes the resource's type chain…
When was CVE-2026-48033 disclosed?
CVE-2026-48033 was first published in the National Vulnerability Database on June 10, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-48033 actively exploited?
CVE-2026-48033 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 16.8% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
How do I remediate CVE-2026-48033?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48033, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-48033

Explore →

Is Your Infrastructure Affected by CVE-2026-48033?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.