CVE-2026-32265
Unauthorized Bucket Listing in Amazon S3 Craft CMS Plugin
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | amazon_s3 | From 2.0.2 (inc) to 2.2.4 (inc) |
| craftcms | amazon_s3 | 2.2.5 |
| craftcms | aws-s3 | From 2.0.2 (inc) to 2.2.4 (inc) |
| craftcms | aws-s3 | 2.2.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of information about the Amazon S3 buckets that the Craft CMS plugin has access to.
An attacker or unauthenticated user with a valid CSRF token could view a list of these buckets, potentially exposing sensitive infrastructure details.
While the vulnerability does not allow modification or deletion of data, the exposure of bucket names or existence could aid further targeted attacks or reconnaissance.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-32265 is an information disclosure vulnerability in the Amazon S3 plugin for Craft CMS, affecting versions 2.0.2 through 2.2.4.
The vulnerability occurs because the BucketsController->actionLoadBucketData() endpoint allows unauthenticated users who have a valid CSRF token to view a list of Amazon S3 buckets that the plugin has access to.
This means that unauthorized users can see bucket information that should be restricted.
The issue was fixed by adding an authorization check requiring administrative privileges to access this endpoint, starting from version 2.2.5.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the BucketsController->actionLoadBucketData() endpoint without authentication but with a valid CSRF token to see if a list of S3 buckets is returned.'}, {'type': 'paragraph', 'content': 'A practical approach is to send an HTTP request to the vulnerable endpoint and check if bucket information is disclosed.'}, {'type': 'paragraph', 'content': 'Example command using curl (replace URL and CSRF token accordingly):'}, {'type': 'list_item', 'content': 'curl -X POST -H "X-CSRF-Token: <valid_csrf_token>" https://<your-craftcms-site>/actions/aws-s3/buckets/load-bucket-data'}, {'type': 'paragraph', 'content': 'If the response contains a list of buckets without requiring authentication, the system is vulnerable.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Amazon S3 plugin for Craft CMS to version 2.2.5 or later.
This update includes an authorization check that restricts access to the bucket data endpoint to administrative users only.
Until the update can be applied, consider restricting access to the vulnerable endpoint or implementing additional access controls to prevent unauthenticated users from accessing it.