Unanchored ACCOUNT_ID webhook filters for CodeBuild

Bulletin ID: 2026-002-AWS Scope: AWS Content Type: Informational Publication Date: 2026/01/15 07:03 AM PST Description: A security research team identified a configuration issue affecting the following AWS-managed open source GitHub repositories that could have resulted in the introduction of inappropriate code: - aws-sdk-js-v3 - aws-lc - amazon-corretto-crypto-provider - awslabs/open-data-registry Specifically, researchers identified the above repositories' configured regular expressions for AWS CodeBuild webhook filters intended to limit trusted actor IDs were insufficient, allowing a predictably acquired actor ID to gain administrative permissions for the affected repositories. We can confirm these were project-specific misconfigurations in webhook actor ID filters for these repositories and not an issue in the CodeBuild service itself. The researchers carefully demonstrated the potential to commit inappropriate code, through an empty code commit, to one repository and promptly informed AWS Security of their research activity and its potential negative impact. No inappropriate code was introduced to any of the affected repositories during this security research activity, the demonstrated empty code commit to one repository had no impact to any AWS customer environments and did not impact any AWS services or infrastructure. No customer action is required. Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.