CVE-2026-32268

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-32268
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32268.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32268
Aliases
Published
2026-03-18T04:53:03.746Z
Modified
2026-04-02T13:24:29.315348Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability
Details

The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The DefaultController->actionLoadContainerData() endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Because Azure can return sensitive data in error messages, additional attack vectors are also exposed. Users should update to version 2.1.1 of the plugin to mitigate the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32268.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/craftcms/azure-blob

Affected ranges

Type
GIT
Repo
https://github.com/craftcms/azure-blob
Events
Introduced
a56809b3396e1f49d520ee3212e46987bd6f1e2f
Fixed
e2150bd2109d88b58d1f3e472bae729358cf27e1

Affected versions

2.*
2.0.0
2.0.0-beta.1
2.1.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32268.json"