VYPR
Get started
← All advisories
Medium severityNVD Advisory· Published Mar 18, 2026· Updated Apr 16, 2026

CVE-2026-32265

CVE-2026-32265

Description

The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The BucketsController->actionLoadBucketData() endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/aws-s3Packagist
>= 2.0.2, < 2.2.52.2.5

Affected products

1

Patches

1
ef8904d8b685

Fixed GHSA-hwj7-4vgc-j3v9

https://github.com/craftcms/aws-s3brandonkellyFeb 18, 2026via ghsa
commit
2 files changed · +5 0
  • CHANGELOG.md+4 0 modified
    @@ -1,5 +1,9 @@
 # Release Notes for Amazon S3 for Craft CMS
 
+## Unreleased
+
+- Fixed a [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) information disclosure vulnerability. (GHSA-hwj7-4vgc-j3v9)
+
 ## 2.2.4 - 2026-01-14
 
 - Fixed a PHP error that could occur in some environments. ([#183](https://github.com/craftcms/aws-s3/issues/183))
  • src/controllers/BucketsController.php+1 0 modified
    @@ -25,6 +25,7 @@ class BucketsController extends BaseController
      */
     public function actionLoadBucketData(): Response
     {
+        $this->requireAdmin();
         $this->requirePostRequest();
         $this->requireAcceptsJson();

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.