Fluid Attacks Database

Description

Amazon S3 for Craft CMS has an Information Disclosure vulnerability Unauthenticated users can view a list of buckets the plugin has access to.

The BucketsController->actionLoadBucketData() endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see.

Users should update to version 2.2.5 of the plugin to mitigate the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	craftcms/aws-s3	>=2.0.2 <2.2.5	2.2.5

Aliases

1. CVE-2026-322652. NVD-2026-322653. OSV-2026-322654. GHSA-hwj7-4vgc-j3v95. GCVE-2026-32265

References

1. https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v92. https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.