CVE-2026-32266
Information Disclosure in Google Cloud Storage Plugin for Craft CMS
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | google_cloud | to 2.2.1 (exc) |
| craftcms | google_cloud | From 2.0.0-beta.1 (inc) to 2.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to discover the names of your Google Cloud Storage buckets used by the Craft CMS plugin.
While it does not allow direct access to the contents of the buckets, exposing bucket names can aid attackers in reconnaissance efforts, potentially leading to targeted attacks or social engineering.
It may also increase the risk of further exploitation if combined with other vulnerabilities or misconfigurations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-32266 is an information disclosure vulnerability in the Google Cloud Storage plugin for Craft CMS versions 2.0.0-beta.1 up to 2.2.0. The vulnerability occurs because the DefaultController->actionLoadBucketData() endpoint allows unauthenticated users, if they have a valid CSRF token, to view a list of cloud storage buckets that the plugin can access.
This means that unauthorized users can gain visibility into the names of storage buckets without needing to authenticate, potentially exposing sensitive information about the cloud storage setup.
The issue is considered low severity and was fixed in version 2.2.1 by adding authorization checks to restrict access to this endpoint.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the DefaultController->actionLoadBucketData() endpoint of the Craft CMS Google Cloud Storage plugin without authentication but with a valid CSRF token. If the endpoint returns a list of buckets, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'A possible way to test this is by sending a POST request with a valid CSRF token to the vulnerable endpoint and checking if bucket data is disclosed.'}, {'type': 'list_item', 'content': 'Use curl to send a POST request with a CSRF token to the endpoint, for example: curl -X POST -H "X-CSRF-Token: <valid_token>" -H "Accept: application/json" https://<your-craftcms-site>/actions/google-cloud/default/load-bucket-data'}, {'type': 'list_item', 'content': 'Observe the response; if it contains bucket names or data without authentication, the vulnerability is present.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to update the Craft CMS Google Cloud Storage plugin to version 2.2.1 or later, where the issue has been fixed.
The fix includes adding authorization checks to ensure only admin users can access the actionLoadBucketData endpoint, enforcing POST requests, and requiring JSON accept headers.
Until the update is applied, restrict access to the vulnerable endpoint and monitor for unauthorized access attempts.