CVE-2026-27148
WebSocket Hijacking in Storybook Dev Server Enables RCE
Publication date: 2026-02-25
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| storybook | storybook | to 7.6.23 (exc) |
| storybook | storybook | From 10.0.0 (inc) to 10.2.10 (exc) |
| storybook | storybook | From 8.1.0 (inc) to 8.6.17 (exc) |
| storybook | storybook | From 9.0.0 (inc) to 9.1.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the WebSocket functionality in Storybook's development server, which is used to create and update UI component stories. Prior to certain fixed versions, the WebSocket connection does not validate the origin of incoming connections, allowing a malicious website or attacker to send unauthorized WebSocket messages to the local Storybook dev server.
Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running, or if the dev server is publicly exposed, an attacker can send messages directly without user interaction.
The vulnerability targets WebSocket message handlers for creating and saving stories, which accept unsanitized input in the componentFilePath field. This can lead to injection attacks resulting in persistent cross-site scripting (XSS) or remote code execution (RCE).
Fixed versions include 7.6.23, 8.6.17, 9.1.19, and 10.2.10.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code or persistent scripts on the system running the Storybook dev server.
This can lead to unauthorized access, data manipulation, or compromise of the development environment.
The risk is higher if the Storybook dev server is publicly accessible, as attackers can send malicious WebSocket messages without requiring the developer to visit a malicious site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade your Storybook dev server to one of the fixed versions: 7.6.23, 8.6.17, 9.1.19, or 10.2.10.
Avoid exposing the Storybook dev server publicly to reduce the risk of unauthenticated attackers sending malicious WebSocket messages.
Ensure developers do not visit untrusted or malicious websites while the local Storybook dev server is running.