CVE-2026-32268
Description
The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The DefaultController->actionLoadContainerData() endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Because Azure can return sensitive data in error messages, additional attack vectors are also exposed. Users should update to version 2.1.1 of the plugin to mitigate the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/azure-blobPackagist | >= 2.0.0-beta.1, < 2.1.1 | 2.1.1 |
Affected products
1Patches
1cf69db45f393Fixed GHSA-q6fm-p73f-x862
2 files changed · +5 −0
CHANGELOG.md+4 −0 modified@@ -1,5 +1,9 @@ # Release Notes for Azure Blog Storagefor Craft CMS +## Unreleased + +- Fixed a [critical-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) information disclosure vulnerability. (GHSA-q6fm-p73f-x862) + ## 2.1.0 - 2024-03-19 - Added Craft 5 compatibility.
src/controllers/DefaultController.php+1 −0 modified@@ -24,6 +24,7 @@ class DefaultController extends BaseController */ public function actionLoadContainerData(): Response { + $this->requireAdmin(); $this->requirePostRequest(); $this->requireAcceptsJson();
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.