AWS

Cloud Infrastructure

Security

CodeBreach Vulnerability: How to Detect If Your AWS CodeBuild Projects Are Affected

•

Two missing characters nearly compromised the AWS Console. In January 2026, Wiz Security researchers disclosed CodeBreach, a supply chain vulnerability affecting AWS CodeBuild webhook configurations. The attack vector? Regex patterns missing ^ and $ anchors in ACTOR_ACCOUNT_ID filters allowed malicious pull requests to bypass security controls and execute code in build environments.

AWS patched the affected repositories within 48 hours, and no customer environments were compromised. But the vulnerability class remains relevant for any organization using CodeBuild webhooks with actor ID filtering. Here's how to audit your own configurations.

What Is the CodeBreach Vulnerability? #

CodeBreach is a webhook filter bypass vulnerability where unanchored regex patterns in AWS CodeBuild's ACTOR_ACCOUNT_ID filter allow attackers to trigger builds by creating GitHub accounts with IDs that contain approved maintainer IDs as substrings.

CodeBuild webhooks can filter which GitHub users trigger builds using the ACTOR_ACCOUNT_ID filter type. The filter accepts a regex pattern to match against the numeric GitHub user ID of the pull request author.

The vulnerability: without ^ (start) and $ (end) anchors, a regex like 755743 matches any ID containing that string, not just an exact match. An attacker with ID 226755743 would pass the filter because their ID contains the approved substring.

Pattern	Status	Behavior
`755743\|123456`	Vulnerable	Matches IDs containing these substrings
`^755743$\|^123456$`	Secure	Matches only exact IDs

Wiz researchers exploited this to demonstrate credential extraction from a build environment with admin access to AWS SDK repositories. Full technical details are in their research post.

Terminology #

Understanding these terms helps when auditing your CodeBuild configurations:

Term	Definition
Regex Anchor	The `^` (start) and `$` (end) characters that force a regex to match the entire string rather than a substring
ACTOR_ACCOUNT_ID	A CodeBuild webhook filter type that restricts builds based on the numeric ID of the GitHub/GitLab/Bitbucket user
Webhook Filter	Rules that determine which repository events trigger CodeBuild builds
Supply Chain Attack	An attack targeting the software build and deployment pipeline rather than the application itself
ID Eclipse	The technique of creating an account with an ID that contains another user's ID as a substring

Am I Affected by CodeBreach? #

You should audit your CodeBuild configurations if you:

Use GitHub, GitLab, or Bitbucket webhooks to trigger CodeBuild projects
Filter builds using ACTOR_ACCOUNT_ID patterns
Allow pull request events from external contributors

The risk is highest for public repositories where anyone can open a pull request.

How to Detect CodeBreach with CloudQuery #

CloudQuery syncs AWS CodeBuild project configurations, including webhook filter groups, into a queryable database. You can write SQL to identify vulnerable patterns across all your AWS accounts and regions.

Prerequisites #

CloudQuery CLI (download here)
AWS plugin v32.61.0 or later
PostgreSQL, ClickHouse, or another supported destination

CloudQuery Configuration #

kind: source
spec:
  name: aws
  path: cloudquery/aws
  registry: cloudquery
  version: 'v32.61.0'
  tables:
    - 'aws_codebuild_projects'
  destinations: ['postgresql']
  spec:
    regions:
      - 'us-east-1'
      - 'us-west-2'
      # Add your regions

Run the sync:

cloudquery sync aws.yml

Detection Query for Unanchored Webhook Filters #

This query identifies CodeBuild projects with ACTOR_ACCOUNT_ID filters that lack proper regex anchoring:

-- Find CodeBuild projects with potentially vulnerable ACTOR_ACCOUNT_ID filters
WITH webhook_filters AS (
  SELECT
    account_id,
    region,
    name AS project_name,
    arn,
    filter_group,
    filter_item
  FROM aws_codebuild_projects,
    LATERAL jsonb_array_elements(webhook->'filterGroups') AS filter_group,
    LATERAL jsonb_array_elements(filter_group) AS filter_item
  WHERE webhook IS NOT NULL
    AND webhook->'filterGroups' IS NOT NULL
)
SELECT
  account_id,
  region,
  project_name,
  arn,
  filter_item->>'type' AS filter_type,
  filter_item->>'pattern' AS pattern
FROM webhook_filters
WHERE filter_item->>'type' = 'ACTOR_ACCOUNT_ID'
  AND (
    -- Pattern doesn't start with ^ anchor
    filter_item->>'pattern' NOT LIKE '^%'
    OR
    -- Pattern doesn't end with $ anchor
    filter_item->>'pattern' NOT LIKE '%$'
  );

Any results indicate potentially vulnerable configurations that need remediation.

What Makes a Webhook Filter Vulnerable to CodeBreach? #

A filter is vulnerable when the regex pattern can match unintended values. GitHub user IDs are assigned sequentially, so an attacker can predict when a "superstring" ID becomes available.

Wiz calculated that for a 6-digit maintainer ID, a matching superstring ID becomes available approximately every five days. They demonstrated this by claiming ID 226755743, which contains the substring 755743.

The fix is straightforward: anchor every ID in the pattern.

# Vulnerable
755743|123456|987654

# Secure
^755743$|^123456$|^987654$

What Other CodeBuild Security Issues Should I Check? #

Is Pull Request Comment Approval Enabled? #

AWS added Pull Request Comment Approval as a defense-in-depth measure. This requires a trusted maintainer to approve builds from untrusted contributors.

-- Find projects without Pull Request Comment Approval enabled
SELECT
  account_id,
  region,
  name AS project_name,
  arn,
  webhook->'pullRequestBuildPolicy'->>'requiresCommentApproval' AS approval_setting
FROM aws_codebuild_projects
WHERE webhook IS NOT NULL
  AND (
    webhook->'pullRequestBuildPolicy' IS NULL
    OR webhook->'pullRequestBuildPolicy'->>'requiresCommentApproval' = 'DISABLED'
  );

Are There Overly Permissive Event Filters? #

Projects that trigger on all pull request events without additional filtering present higher risk:

-- Find projects that trigger on PR events without ACTOR_ACCOUNT_ID filtering
WITH pr_triggered_projects AS (
  SELECT
    account_id,
    region,
    name AS project_name,
    arn,
    filter_group
  FROM aws_codebuild_projects,
    LATERAL jsonb_array_elements(webhook->'filterGroups') AS filter_group
  WHERE webhook IS NOT NULL
)
SELECT DISTINCT
  account_id,
  region,
  project_name,
  arn
FROM pr_triggered_projects
WHERE filter_group::text LIKE '%PULL_REQUEST%'
  AND NOT filter_group::text LIKE '%ACTOR_ACCOUNT_ID%';

How Do I Fix CodeBreach Vulnerabilities? #

Anchor all ACTOR_ACCOUNT_ID patterns with ^ at the start and $ at the end of each ID
Enable Pull Request Comment Approval by setting requiresCommentApproval to ALL_PULL_REQUESTS or FORK_PULL_REQUESTS
Use fine-grained GitHub PATs with minimal required permissions instead of classic tokens
Audit build environment variables to ensure credentials are not exposed in logs

AWS recommends reviewing the CodeBuild webhook security documentation for current best practices.

Key Takeaways #

CodeBreach exploited unanchored regex patterns in AWS CodeBuild webhook filters, discovered and responsibly disclosed by Wiz Security
Two missing characters (^ and $) allowed attackers to bypass ACTOR_ACCOUNT_ID restrictions
CloudQuery can audit all your CodeBuild projects across accounts and regions with a single SQL query
Enable Pull Request Comment Approval as an additional layer of defense
AWS fixed the specific instances, but the vulnerability class can exist in any CodeBuild deployment using webhook filters

Get Started with CloudQuery #

CloudQuery syncs your cloud infrastructure configurations into a database you control, making security audits like this one possible with standard SQL. No agents, no proprietary query languages.

Download CloudQuery and run your first sync in minutes. The AWS plugin syncs over 350 AWS resource types including CodeBuild projects, IAM policies, and security configurations. Check the documentation for authentication setup and available tables.

Frequently Asked Questions #

What is CodeBreach? #

CodeBreach is a supply chain vulnerability in AWS CodeBuild webhook configurations discovered by Wiz Security in 2025. Unanchored regex patterns in ACTOR_ACCOUNT_ID filters allowed attackers to bypass build restrictions by creating GitHub accounts with IDs containing approved maintainer IDs as substrings.

Is CodeBreach a flaw in AWS CodeBuild? #

No. AWS confirmed this was a project-specific misconfiguration in webhook filters, not a vulnerability in the CodeBuild service itself. The regex pattern syntax worked as designed; the issue was how patterns were written.

How do I find my GitHub user ID? #

Query the GitHub API: https://api.github.com/users/YOUR_USERNAME. The id field contains your numeric user ID.

What is an unanchored regex pattern? #

A regex without ^ (start) and $ (end) anchors matches substrings rather than exact values. The pattern 12345 matches any string containing "12345", while ^12345$ matches only the exact string "12345".

Did AWS fix the CodeBreach vulnerability? #

AWS fixed the specific affected repositories within 48 hours of disclosure. No customer environments were compromised. Organizations using similar webhook configurations should audit their own patterns.

Can attackers still exploit CodeBreach in my environment? #

If your CodeBuild projects use unanchored ACTOR_ACCOUNT_ID patterns, they remain vulnerable to the same attack class. Use the detection queries in this post to audit your configurations.

How long does it take to audit CodeBuild with CloudQuery? #

The initial sync of CodeBuild projects typically completes in under a minute for most AWS accounts. Once synced, running the detection queries takes seconds. You can schedule regular syncs to continuously monitor for misconfigurations.

What other CI/CD security issues can CloudQuery detect? #

Beyond CodeBreach, CloudQuery can audit IAM policies, exposed secrets in environment variables, overly permissive S3 bucket policies, and public build artifacts. The SQL-based approach lets you write custom queries for any security check across your entire cloud asset inventory.