{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@hulumi/policies/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@hulumi/policies","github.com"],"_cs_severities":["high"],"_cs_tags":["vulnerability","iam","policy bypass","privilege escalation"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eVersions of @hulumi/policies before 1.3.2 are vulnerable to a security flaw that allows for a bypass of the CIS 1.16 administrator-policy guardrail. This vulnerability arises because the software does not fully inspect inline and attached IAM policy evidence. As a result, some policy paths that should be considered admin-equivalent are not properly evaluated, potentially granting unauthorized administrative privileges. The issue was identified and patched in version 1.3.2, which includes enhanced validation of affected policy shapes and regression tests to prevent future occurrences.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis vulnerability does not involve a traditional attack chain in the sense of external exploitation. However, the following steps outline how an attacker could leverage the vulnerability:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an existing IAM policy or attempts to create a new policy.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the IAM policy with specific permissions that, while not explicitly granting admin privileges, provide equivalent access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the crafted policy in an environment where @hulumi/policies version is \u0026lt; 1.3.2.\u003c/li\u003e\n\u003cli\u003e@hulumi/policies fails to properly evaluate the policy due to incomplete inspection of inline and attached IAM policies.\u003c/li\u003e\n\u003cli\u003eThe crafted policy is applied, granting the attacker unintended administrative access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to perform unauthorized actions within the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for a potential bypass of administrative policy controls, leading to the unintended granting of administrative privileges. Successful exploitation of this vulnerability could lead to unauthorized access to sensitive data, modification of critical system settings, or disruption of services. This could impact any systems or applications relying on @hulumi/policies for IAM policy enforcement. The impact is limited to systems running versions of @hulumi/policies prior to 1.3.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade @hulumi/policies to version 1.3.2 or later to remediate the vulnerability as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-4xrh-5m3m-328w\"\u003ehttps://github.com/advisories/GHSA-4xrh-5m3m-328w\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement code review processes to validate IAM policies and ensure they adhere to security best practices, even after the upgrade.\u003c/li\u003e\n\u003cli\u003eContinuously monitor systems relying on @hulumi/policies for any unexpected behavior that may indicate successful exploitation of the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T20:45:11Z","date_published":"2026-05-21T20:45:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-hulumi-policy-bypass/","summary":"@hulumi/policies versions before 1.3.2 improperly inspect inline and attached IAM policies, potentially allowing admin-equivalent policy paths to bypass the administrator-policy guardrail, resulting in a CIS 1.16 admin policy bypass.","title":"@hulumi/policies: CIS 1.16 Admin Policy Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-hulumi-policy-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — @Hulumi/Policies","version":"https://jsonfeed.org/version/1.1"}