GHSA-Q6FM-P73F-X862

Vulnerability from github – Published: 2026-03-16 18:44 – Updated: 2026-03-19 21:01
VLAI?
Summary
Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability
Details

Unauthenticated users can view a list of buckets the plugin has access to.

The DefaultController->actionLoadContainerData() endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see.

Because Azure can return sensitive data in error messages, additional attack vectors are also exposed.

Users should update to version 2.1.1 of the plugin to mitigate the issue.

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/azure-blob"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-beta.1"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T18:44:38Z",
    "nvd_published_at": "2026-03-18T06:16:17Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated users can view a list of buckets the plugin has access to.\n\nThe `DefaultController-\u003eactionLoadContainerData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see.\n\nBecause Azure can return sensitive data in error messages, additional attack vectors are also exposed.\n\nUsers should update to version 2.1.1 of the plugin to mitigate the issue.",
  "id": "GHSA-q6fm-p73f-x862",
  "modified": "2026-03-19T21:01:39Z",
  "published": "2026-03-16T18:44:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/azure-blob/security/advisories/GHSA-q6fm-p73f-x862"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32268"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/azure-blob/commit/cf69db45f393b3508a32f89ac8235554a2f026ff"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/azure-blob"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.