Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
Hulumi Policies: GitHub OIDC Trust Policy Bypass via AWS Conditions
GHSA-q2f7-m237-v562
Summary
Versions of Hulumi Policies before 1.3.2 may allow attackers to bypass security checks. This affects users who rely on Hulumi Policies for GitHub Actions security. To fix this, update Hulumi Policies to version 1.3.2 or later.
What to do
- Update hulumi @hulumi/policies to version 1.3.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | hulumi | @hulumi/policies |
< 1.3.2 Fix: upgrade to 1.3.2
|
Original title
@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators
Original description
Impact: @hulumi/policies versions before 1.3.2 only checked exact AWS IAM StringLike/StringEquals condition operator keys in G_OIDC_1. Set-qualified operators such as ForAnyValue:StringLike could hide wildcard GitHub Actions OIDC sub conditions from the mandatory guardrail.
Patched in 1.3.2: the AWS trust-policy inspector now evaluates set-qualified string operators and rejects unsafe GitHub OIDC sub conditions.
Remediation: upgrade @hulumi/policies to 1.3.2 or later.
Patched in 1.3.2: the AWS trust-policy inspector now evaluates set-qualified string operators and rejects unsafe GitHub OIDC sub conditions.
Remediation: upgrade @hulumi/policies to 1.3.2 or later.
osv CVSS4.0
9.1
Vulnerability type
CWE-284
Improper Access Control
Published: 21 May 2026 · Updated: 21 May 2026 · First seen: 21 May 2026