CVE-2026-32265
Received Received - Intake
Unauthorized Bucket Listing in Amazon S3 Craft CMS Plugin

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32265
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
craftcms amazon_s3 From 2.0.2 (inc) to 2.2.4 (inc)
craftcms amazon_s3 2.2.5
craftcms aws-s3 From 2.0.2 (inc) to 2.2.4 (inc)
craftcms aws-s3 2.2.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized disclosure of information about the Amazon S3 buckets that the Craft CMS plugin has access to.

An attacker or unauthenticated user with a valid CSRF token could view a list of these buckets, potentially exposing sensitive infrastructure details.

While the vulnerability does not allow modification or deletion of data, the exposure of bucket names or existence could aid further targeted attacks or reconnaissance.

Compliance Impact

I don't know

Executive Summary

CVE-2026-32265 is an information disclosure vulnerability in the Amazon S3 plugin for Craft CMS, affecting versions 2.0.2 through 2.2.4.

The vulnerability occurs because the BucketsController->actionLoadBucketData() endpoint allows unauthenticated users who have a valid CSRF token to view a list of Amazon S3 buckets that the plugin has access to.

This means that unauthorized users can see bucket information that should be restricted.

The issue was fixed by adding an authorization check requiring administrative privileges to access this endpoint, starting from version 2.2.5.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the BucketsController->actionLoadBucketData() endpoint without authentication but with a valid CSRF token to see if a list of S3 buckets is returned.'}, {'type': 'paragraph', 'content': 'A practical approach is to send an HTTP request to the vulnerable endpoint and check if bucket information is disclosed.'}, {'type': 'paragraph', 'content': 'Example command using curl (replace URL and CSRF token accordingly):'}, {'type': 'list_item', 'content': 'curl -X POST -H "X-CSRF-Token: <valid_csrf_token>" https://<your-craftcms-site>/actions/aws-s3/buckets/load-bucket-data'}, {'type': 'paragraph', 'content': 'If the response contains a list of buckets without requiring authentication, the system is vulnerable.'}] [2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Amazon S3 plugin for Craft CMS to version 2.2.5 or later.

This update includes an authorization check that restricts access to the bucket data endpoint to administrative users only.

Until the update can be applied, consider restricting access to the vulnerable endpoint or implementing additional access controls to prevent unauthenticated users from accessing it.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32265. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart