Unauthenticated Access in Craft CMS Google Cloud Storage Plugin
CVE-2026-32266

2.4LOW

Key Information:

Vendor: Craftcms
Status: Google-cloud
Vendor: CVE Published:; 18 March 2026

What is CVE-2026-32266?

The Google Cloud Storage plugin for Craft CMS has a security flaw that permits unauthenticated users, utilizing a valid CSRF token, to access sensitive information about buckets that the plugin can access. This issue is presented through the DefaultController->actionLoadBucketData() endpoint, allowing unauthorized visibility into the storage architecture. It is crucial for users to upgrade to version 2.2.1 or later to safeguard their application against potential information exposure.

Affected Version(s)

google-cloud >= 2.0.0-beta.1, < 2.2.1

References

https://github.com/craftcms/google-cloud/security/advisor...

x_refsource_CONFIRM

https://github.com/craftcms/google-cloud/commit/651bacaa5...

x_refsource_MISC

CVSS V4

Score:

2.4

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32266 Data

JSON

Craftcms

What is CVE-2026-32266?

Affected Version(s)

References

CVSS V4

Timeline