The vulnerability identified as CVE-2026-32265 affects the Amazon S3 plugin for Craft CMS, specifically versions 2.0.2 through 2.2.4. The issue arises because the BucketsController->actionLoadBucketData() endpoint improperly exposes a list of accessible Amazon S3 buckets to unauthenticated users who have a valid Cross-Site Request Forgery (CSRF) token. This endpoint is intended to provide bucket data to authenticated users, but due to insufficient access controls, it allows unauthorized actors to enumerate bucket names. The exposure falls under CWE-200, which concerns the unintended disclosure of sensitive information to unauthorized parties. The vulnerability does not require authentication or user interaction beyond possessing a valid CSRF token, which may be obtainable through other means or existing session contexts. The disclosed bucket names could provide attackers with valuable reconnaissance information, potentially facilitating targeted attacks on cloud storage resources or further exploitation of misconfigurations. The vendor has addressed the vulnerability in version 2.2.5 of the plugin, recommending immediate upgrades. The CVSS 4.0 base score is 6.9 (medium severity), reflecting network attack vector, low complexity, no privileges or user interaction required, and limited confidentiality impact. No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is the unauthorized disclosure of Amazon S3 bucket names associated with the Craft CMS plugin. While the exposure does not directly grant access to the contents of the buckets, knowledge of bucket names can aid attackers in reconnaissance, enabling them to craft more targeted attacks such as phishing, social engineering, or attempts to exploit other misconfigurations in AWS permissions. Organizations relying on Craft CMS with the vulnerable plugin version risk leaking sensitive infrastructure details, which could compromise confidentiality and potentially lead to further breaches if combined with other vulnerabilities. The impact is especially significant for organizations storing sensitive or regulated data in S3 buckets, as attackers could identify critical assets and prioritize them for attack. Additionally, this vulnerability could undermine trust in the affected web applications and lead to compliance issues if sensitive information is indirectly exposed. The lack of required authentication lowers the barrier for exploitation, increasing the risk profile for affected organizations worldwide.

To mitigate this vulnerability, organizations should immediately update the Amazon S3 plugin for Craft CMS to version 2.2.5 or later, where the issue is resolved. Beyond patching, administrators should audit their AWS S3 bucket policies and permissions to ensure that bucket names and contents are not inadvertently exposed through other means. Implement strict access controls and least privilege principles for AWS IAM roles associated with the plugin. Additionally, review and harden CSRF protections and session management to prevent unauthorized acquisition of valid CSRF tokens. Monitoring web server logs for unusual access patterns to the BucketsController endpoints can help detect exploitation attempts. Employ web application firewalls (WAFs) to restrict access to sensitive endpoints and consider rate limiting to reduce the risk of automated enumeration. Finally, conduct regular security assessments and penetration tests on Craft CMS deployments to identify and remediate similar information disclosure issues proactively.