Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
Hulumi Policies: GitHub OIDC Trust Policy Bypass via AWS Condition Operators
GHSA-q2f7-m237-v562
Summary
Versions of Hulumi Policies before 1.3.2 did not properly check some AWS IAM condition operators, which could allow an attacker to bypass security checks. This vulnerability has been fixed in version 1.3.2. To protect your systems, please update to this version or later.
What to do
- Update hulumi policies to version 1.3.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | hulumi | policies |
< 1.3.2 Fix: upgrade to 1.3.2
|
Original title
@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators
Original description
Impact: @hulumi/policies versions before 1.3.2 only checked exact AWS IAM StringLike/StringEquals condition operator keys in G_OIDC_1. Set-qualified operators such as ForAnyValue:StringLike could hide wildcard GitHub Actions OIDC sub conditions from the mandatory guardrail.
Patched in 1.3.2: the AWS trust-policy inspector now evaluates set-qualified string operators and rejects unsafe GitHub OIDC sub conditions.
Remediation: upgrade @hulumi/policies to 1.3.2 or later.
Patched in 1.3.2: the AWS trust-policy inspector now evaluates set-qualified string operators and rejects unsafe GitHub OIDC sub conditions.
Remediation: upgrade @hulumi/policies to 1.3.2 or later.
ghsa CVSS4.0
9.3
Vulnerability type
CWE-284
Improper Access Control
Published: 21 May 2026 · Updated: 21 May 2026 · First seen: 21 May 2026