The vulnerability identified as CVE-2026-32268 affects the Azure Blob Storage plugin for Craft CMS, specifically versions from 2.0.0-beta.1 up to 2.1.1. The core issue is a missing authorization check (CWE-862) in the DefaultController->actionLoadContainerData() endpoint, which allows unauthenticated users who have a valid CSRF token to enumerate Azure Blob Storage buckets that the plugin can access. This endpoint does not properly verify the user's authorization before disclosing the list of storage containers. Additionally, Azure Blob Storage may return sensitive information within error messages, which could be leveraged by attackers to gain further insights or craft additional attack vectors. The vulnerability requires no authentication or user interaction beyond possessing a valid CSRF token, which may be obtainable through other means or social engineering. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) reflects a network attack vector with low complexity, no privileges or user interaction needed, and a high impact on confidentiality. While no exploits have been reported in the wild, the exposure of bucket names and potentially sensitive error data could facilitate reconnaissance and subsequent attacks on cloud storage assets. The recommended mitigation is to upgrade the plugin to version 2.1.1, where proper authorization checks have been implemented to restrict access to authorized users only.

The primary impact of this vulnerability is the unauthorized disclosure of Azure Blob Storage bucket names and potentially sensitive information contained in error messages. This can lead to significant confidentiality breaches, as attackers can gain insight into the cloud storage architecture and potentially identify targets for further exploitation, such as data exfiltration or privilege escalation. Since the vulnerability requires no authentication and minimal user interaction, it lowers the barrier for attackers to perform reconnaissance. Organizations using Craft CMS with the affected Azure Blob Storage plugin versions risk exposure of sensitive cloud storage resources, which could undermine data security and compliance requirements. Additionally, knowledge of bucket names can assist attackers in crafting more targeted attacks, including phishing or exploiting other misconfigurations. Although availability and integrity impacts are not directly indicated, the information disclosure alone can have severe consequences for organizations relying on Azure Blob Storage for critical data storage.

1. Immediately update the Azure Blob Storage plugin for Craft CMS to version 2.1.1 or later, where the authorization checks have been properly implemented. 2. Review and restrict access to the DefaultController->actionLoadContainerData() endpoint to authenticated and authorized users only. 3. Implement strict validation and sanitization of error messages returned by Azure Blob Storage to avoid leaking sensitive information. 4. Monitor web application logs for unusual access patterns to the vulnerable endpoint, especially requests with valid CSRF tokens but no authentication. 5. Employ Web Application Firewalls (WAFs) to detect and block unauthorized attempts to access sensitive plugin endpoints. 6. Conduct regular security audits of third-party plugins and their integration points with cloud services to identify missing authorization or authentication controls. 7. Educate developers and administrators about the risks of missing authorization and the importance of secure coding practices, especially when integrating with cloud services.