{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32266", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T15:05:48.397Z", "datePublished": "2026-03-18T03:46:00.150Z", "dateUpdated": "2026-03-18T18:08:06.854Z"}, "containers": {"cna": {"title": "Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/google-cloud/security/advisories/GHSA-67cr-jmh8-4jpq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/google-cloud/security/advisories/GHSA-67cr-jmh8-4jpq"}, {"name": "https://github.com/craftcms/google-cloud/commit/651bacaa5f5fd7813e4075e0747b1d706391fb2c", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/google-cloud/commit/651bacaa5f5fd7813e4075e0747b1d706391fb2c"}], "affected": [{"vendor": "craftcms", "product": "google-cloud", "versions": [{"version": ">= 2.0.0-beta.1, < 2.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T03:46:00.150Z"}, "descriptions": [{"lang": "en", "value": "The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to mitigate the issue."}], "source": {"advisory": "GHSA-67cr-jmh8-4jpq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T18:07:44.551891Z", "id": "CVE-2026-32266", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T18:08:06.854Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32266", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T18:07:44.551891Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T18:08:02.694Z"}}], "cna": {"title": "Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability", "source": {"advisory": "GHSA-67cr-jmh8-4jpq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.4, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "craftcms", "product": "google-cloud", "versions": [{"status": "affected", "version": ">= 2.0.0-beta.1, < 2.2.1"}]}], "references": [{"url": "https://github.com/craftcms/google-cloud/security/advisories/GHSA-67cr-jmh8-4jpq", "name": "https://github.com/craftcms/google-cloud/security/advisories/GHSA-67cr-jmh8-4jpq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/google-cloud/commit/651bacaa5f5fd7813e4075e0747b1d706391fb2c", "name": "https://github.com/craftcms/google-cloud/commit/651bacaa5f5fd7813e4075e0747b1d706391fb2c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to mitigate the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T03:46:00.150Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32266", "state": "PUBLISHED", "dateUpdated": "2026-03-18T18:08:06.854Z", "dateReserved": "2026-03-11T15:05:48.397Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T03:46:00.150Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to mitigate the issue."}, {"lang": "es", "value": "El plugin de Google Cloud Storage para Craft CMS proporciona una integraci\u00f3n de Google Cloud Storage para Craft CMS. En versiones de la rama 2.x anteriores a la 2.2.1, el endpoint 'DefaultController-&gt;actionLoadBucketData()' permite a usuarios no autenticados con un token CSRF v\u00e1lido ver una lista de buckets que el plugin tiene permitido ver. Los usuarios deben actualizar a la versi\u00f3n 2.2.1 del plugin para mitigar el problema."}], "id": "CVE-2026-32266", "lastModified": "2026-04-16T14:46:24.290", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T04:17:27.540", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/craftcms/google-cloud/commit/651bacaa5f5fd7813e4075e0747b1d706391fb2c"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/google-cloud/security/advisories/GHSA-67cr-jmh8-4jpq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0-beta.1,2.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "google-cloud", "source": "cna", "vendor": "craftcms"}, "product": "google-cloud", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-03-18T05:20:34.860990+00:00", "value": {"mitigation_remediation": ["Update the Google Cloud Storage plugin to version 2.2.1 or later"], "summary": {"action": "Update Plugin", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is the Google Cloud Storage plugin for Craft CMS, specifically the 2.x branch of the craftcms:google-cloud module prior to version 2.2.1. Users who have deployed these earlier releases on their Craft CMS sites are vulnerable.", "description_and_impact": "The vulnerability resides in the Google Cloud Storage for Craft CMS plugin\u2019s DefaultController->actionLoadBucketData() endpoint. This endpoint permits unauthenticated users who possess a valid CSRF token to request and receive a list of Google Cloud Storage buckets that the plugin is configured to access. The exposure of bucket names represents a confidentiality breach, allowing an attacker to identify potential targets and gather reconnaissance information. This weakness is classified as CWE-200, indicating a failure to restrict access to sensitive information.", "risk_and_exploitability": "The CVSS score for this issue is 2.4, denoting low severity. No EPSS score is available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The exploit requires the attacker to obtain a valid CSRF token, suggesting that the attack vector is dependent on the ability to forge or hijack a legitimate session or to perform a cross\u2011site request forgery. Given the limited impact and low severity rating, the overall risk to exposed sites is relatively modest, although any disclosure of bucket names can assist attackers in planning further attacks against associated cloud storage resources."}}}}, "created": "2026-03-18T10:41:51.641170+00:00", "updated": "2026-03-24T10:59:20.779441+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$google-cloud"]}