Primary

Context

Craft CMS Google Cloud Storage Plugin Unauthenticated Bucket Listing Vulnerability

Vulnerability

A low-severity information disclosure vulnerability exists in the Google Cloud Storage for Craft CMS plugin, specifically in versions 2.0.0-beta.1 through 2.2.0. The issue arises in the DefaultController's actionLoadBucketData() endpoint, which allows unauthenticated users with a valid CSRF token to access a list of buckets that the plugin can view.

Impact

Exploitation of this vulnerability allows for unauthorized access to bucket information, potentially leading to further information disclosure or misuse of the Google Cloud Storage integration.

Remediation

Users are advised to update the Google Cloud Storage for Craft CMS plugin to version 2.2.1.

Added: Mar 18, 2026, 4:20 AM

Updated: Mar 18, 2026, 4:20 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.7

remediation

0.0

relevance

4.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.7

remediation

0.0

relevance

4.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Craft CMS Google Cloud Storage Plugin Unauthenticated Bucket Listing Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating