CVE-2026-32266 Overview
CVE-2026-32266 is an information exposure vulnerability affecting the Google Cloud Storage plugin for Craft CMS. The vulnerability exists in the DefaultController->actionLoadBucketData() endpoint, which allows unauthenticated users with a valid CSRF token to view a list of Google Cloud Storage buckets that the plugin has access to. This represents a failure to properly enforce authentication controls on a sensitive administrative endpoint.
Critical Impact
Unauthenticated attackers can enumerate Google Cloud Storage buckets accessible to the plugin, potentially exposing sensitive cloud infrastructure information.
Affected Products
- Google Cloud Storage for Craft CMS plugin versions 2.x prior to 2.2.1
Discovery Timeline
- 2026-03-18 - CVE-2026-32266 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-32266
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue stems from a missing authentication check on the actionLoadBucketData() controller action in the Google Cloud Storage plugin for Craft CMS.
The endpoint was designed to return a list of Google Cloud Storage buckets that the plugin can access, which is intended for administrative configuration purposes. However, the code only verified that the request was a POST request with valid JSON acceptance headers and a valid CSRF token—it did not verify that the user had administrative privileges.
An attacker who can obtain a valid CSRF token (which may be exposed in various ways within a Craft CMS installation) could invoke this endpoint to enumerate the GCS buckets configured for the application. This information disclosure could aid in reconnaissance for further attacks against the cloud infrastructure.
Root Cause
The root cause of this vulnerability is the absence of an administrative privilege check in the actionLoadBucketData() method. While the endpoint correctly enforced POST request methods and JSON response requirements, it failed to call $this->requireAdmin() to ensure only authenticated administrators could access the bucket listing functionality.
Attack Vector
The attack vector is network-based, requiring no authentication but needing a valid CSRF token. An attacker would need to:
- Obtain a valid CSRF token from the Craft CMS installation (potentially through other information disclosure vectors or by having limited user access)
- Send a crafted POST request to the actionLoadBucketData() endpoint with proper JSON headers
- Receive the list of GCS bucket names in the response
The security patch adds the missing authentication requirement:
*/
public function actionLoadBucketData()
{
+ $this->requireAdmin();
$this->requirePostRequest();
$this->requireAcceptsJson();
Source: GitHub Commit Change
Detection Methods for CVE-2026-32266
Indicators of Compromise
- Unexpected POST requests to the actionLoadBucketData endpoint from non-administrative sessions
- HTTP requests with JSON accept headers targeting the Google Cloud Storage plugin controller from unauthenticated sources
- Unusual access patterns to Craft CMS controller endpoints from external IP addresses
Detection Strategies
- Review web server access logs for POST requests to the Google Cloud Storage plugin's DefaultController endpoints
- Monitor for authentication failures or anomalies related to the Craft CMS admin panel
- Implement web application firewall rules to detect and block suspicious requests to plugin controller actions
Monitoring Recommendations
- Enable detailed logging for Craft CMS plugin controller actions
- Set up alerts for any access to sensitive plugin endpoints without corresponding admin authentication events
- Monitor cloud infrastructure access logs for any unauthorized bucket enumeration attempts
How to Mitigate CVE-2026-32266
Immediate Actions Required
- Update the Google Cloud Storage for Craft CMS plugin to version 2.2.1 or later immediately
- Review access logs for any signs of exploitation of this vulnerability
- Audit CSRF token handling and ensure tokens are not inadvertently exposed
Patch Information
The vulnerability has been fixed in version 2.2.1 of the Google Cloud Storage for Craft CMS plugin. The patch adds the $this->requireAdmin() check to the actionLoadBucketData() method, ensuring only authenticated administrators can access the bucket listing functionality.
For more information, see the GitHub Security Advisory GHSA-67cr-jmh8-4jpq and the security patch commit.
Workarounds
- If immediate patching is not possible, consider temporarily disabling the Google Cloud Storage plugin until the update can be applied
- Implement additional access controls at the web server level to restrict access to plugin controller endpoints
- Use a web application firewall to block unauthenticated requests to the affected endpoint
# Update the Craft CMS plugin via Composer
composer update craftcms/google-cloud:^2.2.1
# Clear Craft CMS caches after update
php craft clear-caches/all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
