Overview

The @hulumi/drift package is used for drift detection in Pulumi applications. Drift detection is crucial for identifying and mitigating configuration drift in infrastructure as code (IaC) environments. The package uses four adapters to determine if a resource has drifted, combining their answers into a verdict that is cached for 6 hours by default.

Technical Details

The vulnerability, CVE-2026-48036, is caused by the classifier's improper handling of exceptional conditions. Specifically, the classifier only reads each adapter's `detected: true/false` field and ignores whether the adapter itself succeeded. This leads to two related bugs: 1. **Cached "all clear" on adapter failure:** When an adapter fails (e.g., due to a transient network error), the classifier reads `detected: false`, concludes "no drift", and caches the verdict as `None / none` for 6 hours. This can mask real console-break-glass mutations for the rest of the window. 2. **Mixed verdicts without real evidence:** The `Mixed / high` and `ConsoleBreakGlass / high` verdicts (incident severity) can fire on the "the CloudTrail probe round-tripped successfully" signal rather than actual evidence that anything had been changed via the console. Normal provider-API churn can end up falsely escalated to incident severity.

Impact Analysis

The impact of this vulnerability is significant, as consumers running drift detection in CI/cron could see transient adapter failures silently cached as "all clear" — masking real attacks for up to six hours — or see ordinary provider-version churn falsely promoted to incident severity. This can lead to unreliable verdict sources for downstream incident workflows that gate on it.

Mitigation

To mitigate this vulnerability, it is recommended to upgrade to `@hulumi/drift@1.4.0`. The classifier-only fix includes: - Adapter failures now fail closed to `Unknown / low`, and degraded verdicts are not written to the cache; - The `Mixed` / `ConsoleBreakGlass` promotion now requires real CloudTrail event evidence rather than probe liveness. A partial workaround for case (1) is to set `options.minConfidence: "medium"` on the classifier call, preventing the degraded `None / none` from being cached. However, there is no workaround for case (2).

Conclusion

In conclusion, CVE-2026-48036 is a critical vulnerability in the @hulumi/drift package that can have significant impacts on drift detection and incident response. It is essential to upgrade to version 1.4.0 or later to mitigate this vulnerability and ensure the reliability of drift detection verdicts.