CVE-2026-32265 Overview
CVE-2026-32265 is an information disclosure vulnerability affecting the Amazon S3 for Craft CMS plugin. The vulnerability exists in the BucketsController->actionLoadBucketData() endpoint, which allows unauthenticated users with a valid CSRF token to view a list of S3 buckets that the plugin has access to. This exposure could provide attackers with valuable reconnaissance information about an organization's cloud infrastructure.
Critical Impact
Unauthenticated users can enumerate S3 bucket names accessible to the plugin, potentially revealing sensitive cloud infrastructure details and enabling further targeted attacks.
Affected Products
- Amazon S3 for Craft CMS plugin versions 2.0.2 through 2.2.4
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-32265 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-32265
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw stems from a missing authentication check in the actionLoadBucketData() method within the BucketsController.php file. While the endpoint requires a valid CSRF token and accepts only POST requests with JSON responses, it fails to verify that the requesting user has administrative privileges before returning bucket data.
The vulnerability allows remote attackers to access the endpoint over the network without requiring any privileges. The exposure is limited to confidentiality impact, as attackers can only read bucket list information without the ability to modify or delete data.
Root Cause
The root cause of this vulnerability is a missing authorization check in the BucketsController class. The actionLoadBucketData() method enforces CSRF protection and request type validation, but does not call $this->requireAdmin() to verify administrative privileges before processing the request and returning sensitive bucket information.
Attack Vector
An attacker can exploit this vulnerability by sending a crafted POST request to the actionLoadBucketData() endpoint with a valid CSRF token. The attack vector is network-based, requiring no authentication or user interaction. The attacker needs only to:
- Obtain a valid CSRF token from the Craft CMS application
- Send a POST request to the vulnerable endpoint with the Accept: application/json header
- Receive the list of S3 buckets configured in the plugin
*/
public function actionLoadBucketData(): Response
{
+ $this->requireAdmin();
$this->requirePostRequest();
$this->requireAcceptsJson();
Source: GitHub Commit
Detection Methods for CVE-2026-32265
Indicators of Compromise
- Unusual POST requests to the /actions/aws-s3/buckets/load-bucket-data endpoint from unauthenticated sessions
- Multiple failed or successful attempts to access bucket listing endpoints from external IP addresses
- Web server logs showing requests to the BucketsController endpoint without corresponding admin login activity
Detection Strategies
- Monitor web application firewall (WAF) logs for suspicious POST requests targeting the aws-s3 plugin endpoints
- Implement anomaly detection for requests to administrative plugin endpoints from non-authenticated users
- Review access logs for patterns of reconnaissance activity targeting Craft CMS plugin endpoints
Monitoring Recommendations
- Configure alerting for any access to the BucketsController endpoints outside of expected administrative workflows
- Enable detailed logging for all Craft CMS plugin controller actions
- Implement rate limiting on plugin API endpoints to detect and slow enumeration attempts
How to Mitigate CVE-2026-32265
Immediate Actions Required
- Update the Amazon S3 for Craft CMS plugin to version 2.2.5 or later immediately
- Audit web server logs for any historical exploitation attempts against the vulnerable endpoint
- Review S3 bucket configurations and naming conventions to assess potential exposure from disclosed bucket names
Patch Information
The vulnerability has been addressed in version 2.2.5 of the Amazon S3 for Craft CMS plugin. The fix adds the $this->requireAdmin() authorization check to the actionLoadBucketData() method, ensuring only authenticated administrators can access the bucket listing functionality. The patch is available via the GitHub Commit and through the official plugin update channels. Additional details are available in the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, implement WAF rules to block unauthenticated requests to the /actions/aws-s3/buckets/load-bucket-data endpoint
- Restrict access to Craft CMS administrative paths using network-level controls or IP allowlisting
- Consider temporarily disabling the Amazon S3 plugin until the update can be applied
# Example WAF rule to block unauthenticated access to vulnerable endpoint
# This is a conceptual example - adapt to your specific WAF platform
# Block POST requests to the aws-s3 buckets endpoint without valid admin session
location ~ ^/actions/aws-s3/buckets/ {
# Restrict to authenticated admin sessions only
deny all;
# Allow from trusted admin IP ranges
allow 10.0.0.0/8;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
