CVE-2026-48035

Name of the Vulnerable Software and Affected Versions @hulumi/baseline versions prior to 1.4.0

Description Issues in the AccountFoundation component allow the S3 bucket used for CloudTrail and AWS Config audit logs to be modified or deleted, compromising the forensic trail. This occurs through three mechanisms: the startup-hardened tier hard-codes objectLock to false, the logBucketForceDestroy variable can be set to true allowing pulumi destroy to purge audit logs, and the sandbox tier skips Object Lock, server access logging, and the CloudTrail-Lake EventDataStore (an independent immutable mirror).

Recommendations Upgrade to @hulumi/baseline version 1.4.0. As a temporary workaround, replicate audit logs to an out-of-account Object-Locked archive bucket.