CVE-2026-32266
Received Received - Intake
Information Disclosure in Google Cloud Storage Plugin for Craft CMS

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to mitigate the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32266
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
craftcms google_cloud to 2.2.1 (exc)
craftcms google_cloud From 2.0.0-beta.1 (inc) to 2.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing unauthorized users to discover the names of your Google Cloud Storage buckets used by the Craft CMS plugin.

While it does not allow direct access to the contents of the buckets, exposing bucket names can aid attackers in reconnaissance efforts, potentially leading to targeted attacks or social engineering.

It may also increase the risk of further exploitation if combined with other vulnerabilities or misconfigurations.

Compliance Impact

I don't know

Executive Summary

CVE-2026-32266 is an information disclosure vulnerability in the Google Cloud Storage plugin for Craft CMS versions 2.0.0-beta.1 up to 2.2.0. The vulnerability occurs because the DefaultController->actionLoadBucketData() endpoint allows unauthenticated users, if they have a valid CSRF token, to view a list of cloud storage buckets that the plugin can access.

This means that unauthorized users can gain visibility into the names of storage buckets without needing to authenticate, potentially exposing sensitive information about the cloud storage setup.

The issue is considered low severity and was fixed in version 2.2.1 by adding authorization checks to restrict access to this endpoint.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the DefaultController->actionLoadBucketData() endpoint of the Craft CMS Google Cloud Storage plugin without authentication but with a valid CSRF token. If the endpoint returns a list of buckets, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'A possible way to test this is by sending a POST request with a valid CSRF token to the vulnerable endpoint and checking if bucket data is disclosed.'}, {'type': 'list_item', 'content': 'Use curl to send a POST request with a CSRF token to the endpoint, for example: curl -X POST -H "X-CSRF-Token: <valid_token>" -H "Accept: application/json" https://<your-craftcms-site>/actions/google-cloud/default/load-bucket-data'}, {'type': 'list_item', 'content': 'Observe the response; if it contains bucket names or data without authentication, the vulnerability is present.'}] [1, 2]

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to update the Craft CMS Google Cloud Storage plugin to version 2.2.1 or later, where the issue has been fixed.

The fix includes adding authorization checks to ensure only admin users can access the actionLoadBucketData endpoint, enforcing POST requests, and requiring JSON accept headers.

Until the update is applied, restrict access to the vulnerable endpoint and monitor for unauthorized access attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart