CVE-2026-48033

Affected: @hulumi/policies < 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-693 (Protection Mechanism Failure)

Pulumi gives every cloud resource a structured URN that includes the resource's type chain (hulumi:baseline:aws:SecureBucket$aws:s3/bucketV2:BucketV2) and the logical name the developer freely chose (anything after the final ::). Several Hulumi policy rules used the URN to grant exemptions — for example, "if this raw bucket is a child of SecureBucket, skip the raw-bucket rule because the parent component handles hardening."

The bug: the rules looked for a substring like hulumi:baseline:aws:SecureBucket$ anywhere in the URN. That substring can also appear in the developer-controlled logical-name portion. A developer (or compromised PR) could simply name a raw resource so its logical name carried the trusted substring, and every rule that used this check would treat the resource as if it were inside the trusted parent and skip its hardening check.

Codex reported this for DEPLOY GOV 1; the same anti-pattern existed in five more packs (unreported but identically exploitable): AWS H4/H5 sibling lookups, GitHub H1, GitHub H2, Cloudflare CF DNS 1, Cloudflare CF DNSSEC 1, and (advisory-level) CIS v5 §2.1.1 + §2.1.5.

Consumers using @hulumi/policies could ship raw aws:s3:Bucket, github:Repository, cloudflare:Zone, cloudflare:DnsRecord, and similar resources that bypassed mandatory hardening checks by naming themselves with a trusted substring. Every affected rule appeared to pass while the resource had none of the expected defaults.

Upgrade to @hulumi/policies@1.4.0. A new shared helper at packages/policies/src/urn.ts parses Pulumi URNs structurally and only looks for the trusted parent-type token inside the URN's type-chain segment — never inside the developer-controlled logical name. All six prior call sites have been migrated to it.

None reliable — a local lint that rejects logical names containing $ would catch the trivial form of the spoof but not crafted variants.