Low severityNVD Advisory· Published Mar 18, 2026· Updated Apr 16, 2026

CVE-2026-32266

Description

The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the DefaultController->actionLoadBucketData() endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to mitigate the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
craftcms/google-cloudPackagist	>= 2.0.0-beta.1, < 2.2.1	2.2.1

Affected products

Craftcms/Google Cloudreferences

Patches

651bacaa5f5f

Fixed GHSA-67cr-jmh8-4jpq

https://github.com/craftcms/google-cloudbrandonkellyFeb 18, 2026via ghsa

commit

2 files changed · +5 −0

CHANGELOG.md+4 −0 modified

@@ -1,5 +1,9 @@
 # Release Notes for Google Cloud Storage for Craft CMS
 
+## Unreleased
+
+- Fixed a [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) information disclosure vulnerability. (GHSA-67cr-jmh8-4jpq)
+
 ## 2.2.0 - 2024-03-21
 
 - Added the “Visibility” filesystem setting. ([#35](https://github.com/craftcms/google-cloud/pull/35))

src/controllers/DefaultController.php+1 −0 modified

@@ -25,6 +25,7 @@ class DefaultController extends BaseController
      */
     public function actionLoadBucketData()
     {
+        $this->requireAdmin();
         $this->requirePostRequest();
         $this->requireAcceptsJson();

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000