CVE-2026-32268: Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability

March 16, 2026 (updated March 19, 2026)

Unauthenticated users can view a list of buckets the plugin has access to.

The DefaultController->actionLoadContainerData() endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see.

Because Azure can return sensitive data in error messages, additional attack vectors are also exposed.

Users should update to version 2.1.1 of the plugin to mitigate the issue.

References

github.com/advisories/GHSA-q6fm-p73f-x862
github.com/craftcms/azure-blob
github.com/craftcms/azure-blob/commit/cf69db45f393b3508a32f89ac8235554a2f026ff
github.com/craftcms/azure-blob/security/advisories/GHSA-q6fm-p73f-x862
nvd.nist.gov/vuln/detail/CVE-2026-32268

Code Behaviors & Features

Detect and mitigate CVE-2026-32268 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →