CVE-2026-32266 - Vulnerability Details - OpenCVE

The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to mitigate the issue.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/craftcms/google-cloud/commit/651bacaa5f5fd7813e4075e0747b1d706391fb2c
https://github.com/craftcms/google-cloud/security/advisories/GHSA-67cr-jmh8-4jpq

History

Wed, 18 Mar 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to mitigate the issue.
Title		Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability
Weaknesses		CWE-200
References		https://github.com/craftcms/google-cloud/commit/651bacaa5f5fd7813e4075e0747b1d706391fb2c https://github.com/craftcms/google-cloud/security/advisories/GHSA-67cr-jmh8-4jpq
Metrics		cvssV4_0 `{'score': 2.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:U'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-18T03:46:00.150Z

Updated: 2026-03-18T03:46:00.150Z

Reserved: 2026-03-11T15:05:48.397Z

Link: CVE-2026-32266

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-18T04:17:27.540

Modified: 2026-03-18T04:17:27.540

Link: CVE-2026-32266

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32266", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T15:05:48.397Z", "datePublished": "2026-03-18T03:46:00.150Z", "dateUpdated": "2026-03-18T03:46:00.150Z"}, "containers": {"cna": {"title": "Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/google-cloud/security/advisories/GHSA-67cr-jmh8-4jpq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/google-cloud/security/advisories/GHSA-67cr-jmh8-4jpq"}, {"name": "https://github.com/craftcms/google-cloud/commit/651bacaa5f5fd7813e4075e0747b1d706391fb2c", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/google-cloud/commit/651bacaa5f5fd7813e4075e0747b1d706391fb2c"}], "affected": [{"vendor": "craftcms", "product": "google-cloud", "versions": [{"version": ">= 2.0.0-beta.1, < 2.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T03:46:00.150Z"}, "descriptions": [{"lang": "en", "value": "The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to mitigate the issue."}], "source": {"advisory": "GHSA-67cr-jmh8-4jpq", "discovery": "UNKNOWN"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to mitigate the issue."}], "id": "CVE-2026-32266", "lastModified": "2026-03-18T04:17:27.540", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T04:17:27.540", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/craftcms/google-cloud/commit/651bacaa5f5fd7813e4075e0747b1d706391fb2c"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/google-cloud/security/advisories/GHSA-67cr-jmh8-4jpq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}