CVE-2026-32268

The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The `DefaultController->actionLoadContainerData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Because Azure can return sensitive data in error messages, additional attack vectors are also exposed. Users should update to version 2.1.1 of the plugin to mitigate the issue.

CVSS

No CVSS.

References

Link	Resource
https://github.com/craftcms/azure-blob/commit/cf69db45f393b3508a32f89ac8235554a2f026ff
https://github.com/craftcms/azure-blob/security/advisories/GHSA-q6fm-p73f-x862

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-18 06:16

Updated : 2026-03-18 14:52

NVD link : CVE-2026-32268

Mitre link : CVE-2026-32268

CVE.ORG link : CVE-2026-32268

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-32268", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-18T06:16:17.827", "references": [{"url": "https://github.com/craftcms/azure-blob/commit/cf69db45f393b3508a32f89ac8235554a2f026ff", "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/azure-blob/security/advisories/GHSA-q6fm-p73f-x862", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The `DefaultController->actionLoadContainerData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Because Azure can return sensitive data in error messages, additional attack vectors are also exposed. Users should update to version 2.1.1 of the plugin to mitigate the issue."}, {"lang": "es", "value": "El plugin Azure Blob Storage para Craft CMS proporciona una integraci\u00f3n de Azure Blob Storage para Craft CMS. En versiones de la rama 2.x anteriores a la 2.1.1, los usuarios no autenticados pueden ver una lista de buckets a los que el plugin tiene acceso. El endpoint `DefaultController->actionLoadContainerData()` permite a usuarios no autenticados con un token CSRF v\u00e1lido ver una lista de buckets que el plugin tiene permitido ver. Debido a que Azure puede devolver datos sensibles en mensajes de error, tambi\u00e9n se exponen vectores de ataque adicionales. Los usuarios deben actualizar a la versi\u00f3n 2.1.1 del plugin para mitigar el problema."}], "lastModified": "2026-03-18T14:52:44.227", "sourceIdentifier": "security-advisories@github.com"}