CVE-2026-32268

HIGH
2026-03-16 https://github.com/craftcms/azure-blob GHSA-q6fm-p73f-x862
Share

Lifecycle Timeline

3
Analysis Generated
Mar 16, 2026 - 20:05 vuln.today
Patch Released
Mar 16, 2026 - 20:05 nvd
Patch available
CVE Published
Mar 16, 2026 - 18:44 nvd
HIGH

Tags

Information Disclosure Authentication Bypass Microsoft CSRF

Description

Unauthenticated users can view a list of buckets the plugin has access to. The `DefaultController->actionLoadContainerData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Because Azure can return sensitive data in error messages, additional attack vectors are also exposed. Users should update to version 2.1.1 of the plugin to mitigate the issue.

Analysis

The DefaultController->actionLoadContainerData() endpoint in the Microsoft plugin permits unauthenticated attackers possessing a valid CSRF token to enumerate accessible storage buckets and extract sensitive data from Azure error messages. This authorization bypass affects users running unpatched versions prior to 2.1.1, exposing cloud storage infrastructure details and potentially sensitive system information through verbose error responses.

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all systems running this plugin and assess exposure. Within 7 days: Update all affected systems to plugin version 2.1.1. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2026-32268 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy