CVE-2026-48034

HIGHPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: 0%CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket

Affected: @hulumi/policies < 1.4.0Fixed in: 1.4.0Severity: High — CWE-284 (Improper Access Control)

Summary

HULUMI-H1 forbids raw aws:s3:Bucket outside of Hulumi's SecureBucket component, with one exemption: a raw bucket that's a child of a SecureBucket is allowed because the component is responsible for the hardening. HULUMI-H5 is the defence-in-depth check that closes the H1 exemption — for any raw bucket claiming it, H5 verifies the five hardening sibling resources a real SecureBucket always emits (public-access block, SSE-KMS, ownership controls, versioning, TLS-only bucket policy) are actually present.

The bug: H5 only checked the siblings' _types_. It never verified that those siblings actually applied to the bucket being exempted. A consumer (or compromised PR) could pair an unhardened raw bucket with five hardening sibling resources whose bucket property pointed at a _completely different_ bucket, and H5 would report no violation while the actual bucket shipped with zero hardened defaults.

Impact

Consumers using HulumiHardeningPack could ship a raw S3 bucket with no public-access block, no SSE-KMS, no ownership controls, no versioning, and no TLS-only bucket policy — while the policy pack reported the stack as compliant.

Patches

Upgrade to @hulumi/[email protected]. The H5 sibling check now requires both (a) the sibling to share the same parent SecureBucket instance via the anchored URN helper from GHSA-2, AND (b) the sibling's bucket property — or, for the bucket policy, its Resource ARN list — to reference the exempted bucket explicitly. Five decoy siblings pointing at a different bucket no longer count.

Workarounds

None — the exemption itself is the mechanism, so the value-binding check is the only fix.

Resources

  • PR #178 (Cluster B); decoy-sibling regression cases in packages/policies/tests/hulumi-hardening-pack.test.ts. Supersedes PR #175, which had addressed the value-binding half but on a stale base.

CVSS v3
EG Score
0.0(none)
EPSS
12.0%
KEV
Not listed

Published

June 10, 2026

Last Modified

June 10, 2026

Vendor Advisories for CVE-2026-48034(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
npm(1)
PackageVulnerable rangeFixed inDependents
@hulumi/policies1.4.0

Data Freshness Timeline

(refreshed 0× in last 7d / 5× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-14 23:18 UTCEPSS rescore
  2. 2026-06-13 23:00 UTCEPSS rescore
  3. 2026-06-13 15:39 UTCEG score recompute
  4. 2026-06-12 23:12 UTCEPSS rescore
  5. 2026-06-10 14:17 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-48034?
CVE-2026-48034 is a high vulnerability published on June 10, 2026. @hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket Affected: @hulumi/policies < 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-284 (Improper Access Control) Summary HULUMI-H1 forbids raw aws:s3:Bucket outside of Hulumi's SecureBucket component, with one…
When was CVE-2026-48034 disclosed?
CVE-2026-48034 was first published in the National Vulnerability Database on June 10, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-48034 actively exploited?
CVE-2026-48034 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 12.0% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
How do I remediate CVE-2026-48034?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48034, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-48034

Explore →

Is Your Infrastructure Affected by CVE-2026-48034?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.