CVE-2026-47068
Description
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.
'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process.
This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phoenix_storybookHex | >= 0.4.0, < 1.1.0 | 1.1.0 |
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: >=0.4.0 <1.1.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-mrhx-6pw9-q5fhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-47068ghsaADVISORY
- cna.erlef.org/cves/CVE-2026-47068.htmlnvdWEB
- github.com/phenixdigital/phoenix_storybook/commit/6ee03f1c738d4436dde1b066cf65c80663d489f5nvdWEB
- github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fhnvdWEB
- osv.dev/vulnerability/EEF-CVE-2026-47068nvdWEB
News mentions
0No linked articles in our index yet.