What is GHSA-4xrh-5m3m-328w?

GHSA-4xrh-5m3m-328w is a security advisory published by GitHub Security Advisories with High severity. @hulumi/policies: CIS 1.16 admin policy bypass for inline and attached IAM policies

Why does GHSA-4xrh-5m3m-328w have no CVE ID yet?

GitHub Security Advisories published this advisory directly to customers before NVD assigned a CVE ID. This is the embargo-window disclosure pattern — vendors notify customers on day 0; NVD's public record follows days to weeks later.

Which products are affected by GHSA-4xrh-5m3m-328w?

GHSA-4xrh-5m3m-328w affects 1 product, including: npm/@hulumi/policies:\u003c 1.3.2.

GHSA-4xrh-5m3m-328wHighDisclosed before NVD

@hulumi/policies: CIS 1.16 admin policy bypass for inline and attached IAM policies

Vendor

GitHub Security Advisories

Published

May 21, 2026

Last Modified

May 21, 2026

📋 Description

Impact: @hulumi/policies versions before 1.3.2 did not fully inspect inline and attached IAM policy evidence for the administrator-policy guardrail, so some admin-equivalent policy paths could pass policy evaluation. Patched in 1.3.2: the validator inspects the affected policy shapes and includes regression tests. Remediation: upgrade @hulumi/policies to 1.3.2 or later.

🎯 Affected products1

npm/@hulumi/policies:< 1.3.2

🔗 References (2)

https://github.com/kerberosmansour/hulumi/security/advisories/GHSA-4xrh-5m3m-328w
https://github.com/advisories/GHSA-4xrh-5m3m-328w