CVE-2026-32265
Received Received - Intake

Unauthorized Bucket Listing in Amazon S3 Craft CMS Plugin

Vulnerability report for CVE-2026-32265, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description

The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-07-06
AI Q&A
2026-03-18
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
craftcms amazon_s3 From 2.0.2 (inc) to 2.2.4 (inc)
craftcms amazon_s3 2.2.5
craftcms aws-s3 From 2.0.2 (inc) to 2.2.4 (inc)
craftcms aws-s3 2.2.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized disclosure of information about the Amazon S3 buckets that the Craft CMS plugin has access to.

An attacker or unauthenticated user with a valid CSRF token could view a list of these buckets, potentially exposing sensitive infrastructure details.

While the vulnerability does not allow modification or deletion of data, the exposure of bucket names or existence could aid further targeted attacks or reconnaissance.

Compliance Impact

I don't know

Executive Summary

CVE-2026-32265 is an information disclosure vulnerability in the Amazon S3 plugin for Craft CMS, affecting versions 2.0.2 through 2.2.4.

The vulnerability occurs because the BucketsController->actionLoadBucketData() endpoint allows unauthenticated users who have a valid CSRF token to view a list of Amazon S3 buckets that the plugin has access to.

This means that unauthorized users can see bucket information that should be restricted.

The issue was fixed by adding an authorization check requiring administrative privileges to access this endpoint, starting from version 2.2.5.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the BucketsController->actionLoadBucketData() endpoint without authentication but with a valid CSRF token to see if a list of S3 buckets is returned.'}, {'type': 'paragraph', 'content': 'A practical approach is to send an HTTP request to the vulnerable endpoint and check if bucket information is disclosed.'}, {'type': 'paragraph', 'content': 'Example command using curl (replace URL and CSRF token accordingly):'}, {'type': 'list_item', 'content': 'curl -X POST -H "X-CSRF-Token: <valid_csrf_token>" https://<your-craftcms-site>/actions/aws-s3/buckets/load-bucket-data'}, {'type': 'paragraph', 'content': 'If the response contains a list of buckets without requiring authentication, the system is vulnerable.'}] [2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Amazon S3 plugin for Craft CMS to version 2.2.5 or later.

This update includes an authorization check that restricts access to the bucket data endpoint to administrative users only.

Until the update can be applied, consider restricting access to the vulnerable endpoint or implementing additional access controls to prevent unauthenticated users from accessing it.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32265. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart