GHSA-CJ8G-PRCM-MFG5
Vulnerability from github – Published: 2026-06-10 13:38 – Updated: 2026-06-10 13:38
VLAI
Summary
@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture
Details
Affected: @hulumi/baseline < 1.4.0 — Fixed in: 1.4.0 — Severity: Medium — CWE-693 (Protection Mechanism Failure)
Summary
AccountFoundation can either create AWS detective services (GuardDuty for threat detection, Security Hub for compliance dashboards) or reuse pre-existing ones via opt-in flags. The reuse paths just imported the existing resources and reported success — they never checked whether the existing services were actually doing their job.
- GuardDuty reuse. If the existing detector was suspended, or set to the slower 6-hour publishing cadence instead of the baseline 15-minute one, or otherwise misconfigured — Hulumi never noticed. The deployment succeeded with a misleadingly-positive
guardDutyDetectorIdoutput as if the baseline were active. - Security Hub reuse. Although the account import was read-only, Hulumi unconditionally created the CIS / NIST
StandardsSubscriptionresources with default delete behaviour. Pulumi then treated those subscriptions as its own — a laterpulumi destroyof the stack would callBatchDisableStandards, unsubscribing the account from CIS / NIST compliance monitoring even on accounts that had those subscriptions before Hulumi ever ran.
Impact
Consumers using AccountFoundation's reuse mode could:
- ship deployments that appeared to enable a detective baseline but actually weren't (case 1), or
- accidentally turn off CIS / NIST compliance monitoring on an existing account just by destroying a Hulumi stack (case 2 — no malicious intent needed; a normal stack teardown was enough).
Patches
Upgrade to @hulumi/baseline@1.4.0.
- GuardDuty reuse now asserts the imported detector is
ENABLEDwithfindingPublishingFrequency: FIFTEEN_MINUTES. Wrong posture fails the deploy at preview time. - Security Hub reuse creates the CIS / NIST
StandardsSubscriptionresources withretainOnDelete: true, so destroying a reused stack no longer unsubscribes the account.
Net-new (non-reuse) deployments are unchanged.
Workarounds
Don't reuse pre-existing detective services with AccountFoundation before upgrading. If reuse is unavoidable, manually verify detector posture out-of-band.
Resources
- PR #178 (Cluster G); regression tests in
packages/baseline/tests/guardduty-reuse-posture.test.tsandpackages/baseline/tests/securityhub-reuse-retain.test.ts.
Severity
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@hulumi/baseline"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48037"
],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-10T13:38:59Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "**Affected:** `@hulumi/baseline` `\u003c 1.4.0` \u2014 **Fixed in:** `1.4.0` \u2014 **Severity:** Medium \u2014 **CWE-693 (Protection Mechanism Failure)**\n\n#### Summary\n\n`AccountFoundation` can either create AWS detective services (GuardDuty for threat detection, Security Hub for compliance dashboards) or reuse pre-existing ones via opt-in flags. The reuse paths just imported the existing resources and reported success \u2014 they never checked whether the existing services were actually doing their job.\n\n1. **GuardDuty reuse.** If the existing detector was suspended, or set to the slower 6-hour publishing cadence instead of the baseline 15-minute one, or otherwise misconfigured \u2014 Hulumi never noticed. The deployment succeeded with a misleadingly-positive `guardDutyDetectorId` output as if the baseline were active.\n2. **Security Hub reuse.** Although the account import was read-only, Hulumi unconditionally created the CIS / NIST `StandardsSubscription` resources with default delete behaviour. Pulumi then treated those subscriptions as its own \u2014 a later `pulumi destroy` of the stack would call `BatchDisableStandards`, unsubscribing the account from CIS / NIST compliance monitoring even on accounts that had those subscriptions before Hulumi ever ran.\n\n#### Impact\n\nConsumers using `AccountFoundation`\u0027s reuse mode could:\n\n- ship deployments that appeared to enable a detective baseline but actually weren\u0027t (case 1), or\n- accidentally turn off CIS / NIST compliance monitoring on an existing account just by destroying a Hulumi stack (case 2 \u2014 no malicious intent needed; a normal stack teardown was enough).\n\n#### Patches\n\nUpgrade to `@hulumi/baseline@1.4.0`.\n\n- GuardDuty reuse now asserts the imported detector is `ENABLED` with `findingPublishingFrequency: FIFTEEN_MINUTES`. Wrong posture fails the deploy at preview time.\n- Security Hub reuse creates the CIS / NIST `StandardsSubscription` resources with `retainOnDelete: true`, so destroying a reused stack no longer unsubscribes the account.\n\nNet-new (non-reuse) deployments are unchanged.\n\n#### Workarounds\n\nDon\u0027t reuse pre-existing detective services with `AccountFoundation` before upgrading. If reuse is unavoidable, manually verify detector posture out-of-band.\n\n#### Resources\n\n- [PR #178](https://github.com/kerberosmansour/hulumi/pull/178) (Cluster G); regression tests in\n `packages/baseline/tests/guardduty-reuse-posture.test.ts` and\n `packages/baseline/tests/securityhub-reuse-retain.test.ts`.",
"id": "GHSA-cj8g-prcm-mfg5",
"modified": "2026-06-10T13:38:59Z",
"published": "2026-06-10T13:38:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kerberosmansour/hulumi/security/advisories/GHSA-cj8g-prcm-mfg5"
},
{
"type": "WEB",
"url": "https://github.com/kerberosmansour/hulumi/pull/178"
},
{
"type": "PACKAGE",
"url": "https://github.com/kerberosmansour/hulumi"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…