@hulumi/policies
npm3 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting @hulumi/policiespage 1 of 1
- CVE-2026-48032HIGHCVSS 0.0EG 0.0✓ Fixed in 1.4.02026-06-10
@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers **Affected:** `@hulumi/policies` `< 1.4.0` — **Fixed in:** `1.4.0` — **Severity:** High — **CWE-697 (Incorrect Comparison)** #### Summary…
- CVE-2026-48033HIGHCVSS 0.0EG 0.0✓ Fixed in 1.4.02026-06-10
@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name **Affected:** `@hulumi/policies` `< 1.4.0` — **Fixed in:** `1.4.0` — **Severity:** High — **CWE-693 (Protection Mechanism Failure)** #### Summary Pulumi …
- CVE-2026-48034HIGHCVSS 0.0EG 0.0✓ Fixed in 1.4.02026-06-10
@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket **Affected:** `@hulumi/policies` `< 1.4.0` — **Fixed in:** `1.4.0` — **Severity:** High — **CWE-284 (Improper Access Control)** #### S…
Check whether @hulumi/policies is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @hulumi/policies CVEs against the assets you own.
Start Free Scan →