GHSA-q6fm-p73f-x862

Suggest an improvement
Source
https://github.com/advisories/GHSA-q6fm-p73f-x862
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q6fm-p73f-x862/GHSA-q6fm-p73f-x862.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q6fm-p73f-x862
Aliases
  • CVE-2026-32268
Published
2026-03-16T18:44:38Z
Modified
2026-03-19T21:16:29.491899Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability
Details

Unauthenticated users can view a list of buckets the plugin has access to.

The DefaultController->actionLoadContainerData() endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see.

Because Azure can return sensitive data in error messages, additional attack vectors are also exposed.

Users should update to version 2.1.1 of the plugin to mitigate the issue.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T18:44:38Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "nvd_published_at": "2026-03-18T06:16:17Z",
    "severity": "HIGH"
}
References

Affected packages

Packagist / craftcms/azure-blob

Package

Name
craftcms/azure-blob
Purl
pkg:composer/craftcms/azure-blob

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0-beta.1
Fixed
2.1.1

Affected versions

2.*
2.0.0-beta.1
2.0.0
2.1.0

Database specific

last_known_affected_version_range 
"<= 2.1.0"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q6fm-p73f-x862/GHSA-q6fm-p73f-x862.json"