The vulnerability identified as CVE-2026-32266 affects the Google Cloud Storage integration plugin for Craft CMS, specifically versions from 2.0.0-beta.1 up to 2.2.1. The issue lies in the DefaultController->actionLoadBucketData() endpoint, which improperly exposes a list of Google Cloud Storage buckets that the plugin can access. This endpoint can be invoked by unauthenticated users, provided they have a valid Cross-Site Request Forgery (CSRF) token, allowing them to enumerate bucket names without proper authorization. The exposure of bucket names constitutes sensitive information leakage (CWE-200), potentially aiding attackers in reconnaissance activities. The vulnerability does not require user authentication but does require a valid CSRF token, which somewhat limits exploitation vectors. The CVSS 4.0 base score is 2.4, reflecting low severity due to limited impact and exploitation complexity. No integrity or availability impacts are noted, and no known exploits have been reported. The recommended remediation is to upgrade the plugin to version 2.2.1 or later, where this endpoint's access control has been properly enforced to prevent unauthorized information disclosure.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information, specifically the names of Google Cloud Storage buckets accessible by the Craft CMS plugin. While bucket names alone may not directly compromise data confidentiality, they can provide attackers with valuable intelligence for further targeted attacks, such as phishing, social engineering, or attempts to exploit misconfigured buckets. Organizations using affected versions risk exposing their cloud storage infrastructure details, which could facilitate subsequent attacks. However, since exploitation requires a valid CSRF token and no direct access to bucket contents is granted, the immediate risk is limited. The vulnerability does not affect data integrity or system availability. Nonetheless, in environments where bucket names are sensitive or could reveal business-critical information, this exposure could have reputational or operational consequences.

To mitigate this vulnerability, organizations should promptly update the Google Cloud Storage plugin for Craft CMS to version 2.2.1 or later, where the issue has been resolved. Additionally, administrators should review and tighten CSRF token management to ensure tokens are not easily obtainable by unauthorized users. Implementing strict Content Security Policies (CSP) and SameSite cookie attributes can reduce the risk of CSRF token leakage. Monitoring web server logs for unusual access patterns to the affected endpoint may help detect attempted exploitation. Limiting the plugin's permissions to only necessary buckets and enforcing the principle of least privilege on Google Cloud Storage IAM roles can reduce the impact of any information disclosure. Finally, educating developers and administrators about secure plugin management and timely patching is essential to prevent similar vulnerabilities.