Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Google Cloud Storage for Craft CMS Exposes Bucket List to Unauthorized Users
GHSA-67cr-jmh8-4jpq
CVE-2026-32266
Summary
A security issue in Google Cloud Storage for Craft CMS allows unauthenticated users to view a list of buckets the plugin has access to. This means that sensitive data could potentially be exposed. To fix this, update the plugin to version 2.2.1.
What to do
- Update craftcms google-cloud to version 2.2.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| craftcms | google-cloud | > 2.0.0-beta.1 , <= 2.2.0 | 2.2.1 |
Original title
Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability
Original description
Unauthenticated users can view a list of buckets the plugin has access to.
The `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see.
Users should update to version 2.2.1 of the plugin to mitigate the issue.
The `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see.
Users should update to version 2.2.1 of the plugin to mitigate the issue.
Vulnerability type
CWE-200
Information Exposure
Published: 16 Mar 2026 · Updated: 16 Mar 2026 · First seen: 16 Mar 2026