CVE-2026-32268

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Azure Blob Storage for Craft CMS plugin versions prior to 2.1.1

Description The Azure Blob Storage for Craft CMS plugin integrates Azure Blob Storage with Craft CMS. Versions prior to 2.1.1 allow unauthenticated users to view a list of buckets the plugin has access to. The /DefaultController->actionLoadContainerData() API endpoint permits unauthenticated users possessing a valid CSRF token to enumerate accessible buckets. Due to the potential for sensitive data exposure in Azure error messages, additional attack vectors may be present.

Recommendations Update to version 2.1.1 of the plugin.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-32268

GHSA-Q6FM-P73F-X862

Affected Products

Azure Blob Storage For Craft Cms

Craft Cms

CVE-2026-32268

Weakness Enumeration

Related Identifiers

Affected Products

References · 10