Description
The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to mitigate the issue.
Published: 2026-03-18
Score: 2.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update Plugin
AI Analysis

Impact

The vulnerability resides in the Google Cloud Storage for Craft CMS plugin’s DefaultController->actionLoadBucketData() endpoint. This endpoint permits unauthenticated users who possess a valid CSRF token to request and receive a list of Google Cloud Storage buckets that the plugin is configured to access. The exposure of bucket names represents a confidentiality breach, allowing an attacker to identify potential targets and gather reconnaissance information. This weakness is classified as CWE-200, indicating a failure to restrict access to sensitive information.

Affected Systems

The affected product is the Google Cloud Storage plugin for Craft CMS, specifically the 2.x branch of the craftcms:google-cloud module prior to version 2.2.1. Users who have deployed these earlier releases on their Craft CMS sites are vulnerable.

Risk and Exploitability

The CVSS score for this issue is 2.4, denoting low severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The exploit requires the attacker to obtain a valid CSRF token, suggesting that the attack vector is dependent on the ability to forge or hijack a legitimate session or to perform a cross‑site request forgery. Given the limited impact and low severity rating, the overall risk to exposed sites is relatively modest, although any disclosure of bucket names can assist attackers in planning further attacks against associated cloud storage resources.

Generated by OpenCVE AI on March 18, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Google Cloud Storage plugin to version 2.2.1 or later

Generated by OpenCVE AI on March 18, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-67cr-jmh8-4jpq Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability
History

Wed, 18 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms google-cloud
Vendors & Products Craftcms
Craftcms google-cloud

Wed, 18 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Description The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to mitigate the issue.
Title Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 2.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:U'}

Subscriptions

Craftcms Google-cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T18:08:06.854Z

Reserved: 2026-03-11T15:05:48.397Z

Link: CVE-2026-32266

cve-icon Vulnrichment

Updated: 2026-03-18T18:08:02.694Z

cve-icon NVD

Status : Deferred

Published: 2026-03-18T04:17:27.540

Modified: 2026-04-16T14:46:24.290

Link: CVE-2026-32266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:20Z

Weaknesses