GHSA-4xrh-5m3m-328w: @hulumi/policies: CIS 1.16 admin policy bypass for inline and attached IAM policies

May 21, 2026

Impact: @hulumi/policies versions before 1.3.2 did not fully inspect inline and attached IAM policy evidence for the administrator-policy guardrail, so some admin-equivalent policy paths could pass policy evaluation.

Patched in 1.3.2: the validator inspects the affected policy shapes and includes regression tests.

Remediation: upgrade @hulumi/policies to 1.3.2 or later.

References

github.com/advisories/GHSA-4xrh-5m3m-328w
github.com/kerberosmansour/hulumi/security/advisories/GHSA-4xrh-5m3m-328w

Code Behaviors & Features

Detect and mitigate GHSA-4xrh-5m3m-328w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →