Description
The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue.
Published: 2026-03-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The Amazon S3 for Craft CMS plugin suffered an information disclosure flaw (CWE-200). In affected versions 2.0.2 through 2.2.4, the BucketsController->actionLoadBucketData() endpoint allowed unauthenticated users who possessed a valid CSRF token to retrieve a list of S3 buckets the plugin could access. This could expose the names of storage buckets, potentially aiding attackers in reconnaissance and further exploit attempts.

Affected Systems

Users running the Craft CMS amazon-s3 plugin version 2.0.2, 2.1.x, or 2.2.4 are vulnerable. The issue is specific to the aws-s3 plugin for Craft CMS and does not affect other Craft CMS components.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity vulnerability. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited evidence of exploitation in the wild. The likely attack vector is client‑side via a legitimate session that has a CSRF token; an attacker would need to navigate the site or trick a user into generating a token, after which the bucket list can be retrieved without authentication. Although the exposure does not compromise the S3 buckets themselves, it leaks potentially sensitive inventory data and could assist further attacks.

Generated by OpenCVE AI on March 18, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to craftcms/aws-s3 version 2.2.5 or later

Generated by OpenCVE AI on March 18, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hwj7-4vgc-j3v9 Amazon S3 for Craft CMS has an Information Disclosure vulnerability
History

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms aws-s3
Vendors & Products Craftcms
Craftcms aws-s3

Wed, 18 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Description The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue.
Title Amazon S3 for Craft CMS has an Information Disclosure vulnerability
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Aws-s3
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T13:30:56.737Z

Reserved: 2026-03-11T15:05:48.397Z

Link: CVE-2026-32265

cve-icon Vulnrichment

Updated: 2026-03-18T13:30:51.217Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T04:17:27.337

Modified: 2026-03-18T14:52:44.227

Link: CVE-2026-32265

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:23Z

Weaknesses