Description
The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The `DefaultController->actionLoadContainerData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Because Azure can return sensitive data in error messages, additional attack vectors are also exposed. Users should update to version 2.1.1 of the plugin to mitigate the issue.
Published: 2026-03-18
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Update Plugin
AI Analysis

Impact

Azure Blob Storage for Craft CMS plugin contains an endpoint that allows unauthenticated users to retrieve a list of Azure Blob Storage containers (buckets) that the plugin can access, provided they supply a valid CSRF token. Because Azure can embed sensitive data in error messages, the endpoint can become an additional vector for disclosing confidential information. The vulnerability is a missing authorization flaw (CWE-862) that can lead to sensitive information disclosure.

Affected Systems

Affected systems are installations of the Craft CMS Azure Blob Storage plugin on the 2.x branch versions older than 2.1.1. Any host running the plugin with a version prior to 2.1.1 is vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7 (High). No EPSS score is publicly available, and the issue is not listed in the CISA KEV catalog. Exploitation requires only a valid CSRF token, which can be obtained through legitimate interactions or by phishing a user with site access. Once the token is presented, the attacker can enumerate buckets and potentially read error messages that may contain sensitive data. The risk is therefore moderate to high pending the presence of a CSRF token.

Generated by OpenCVE AI on March 18, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply plugin update to version 2.1.1 or newer

Generated by OpenCVE AI on March 18, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q6fm-p73f-x862 Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability
History

Wed, 18 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms azure-blob
Vendors & Products Craftcms
Craftcms azure-blob

Wed, 18 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The `DefaultController->actionLoadContainerData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Because Azure can return sensitive data in error messages, additional attack vectors are also exposed. Users should update to version 2.1.1 of the plugin to mitigate the issue.
Title Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Azure-blob
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T17:22:59.072Z

Reserved: 2026-03-11T15:05:48.398Z

Link: CVE-2026-32268

cve-icon Vulnrichment

Updated: 2026-03-18T17:22:51.449Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T06:16:17.827

Modified: 2026-03-18T14:52:44.227

Link: CVE-2026-32268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:19Z

Weaknesses