CVE-2026-47068
Deferred Deferred - Pending Action
Authorization Bypass in Phoenix Storybook via PubSub Topic Injection

Publication date: 2026-05-20

Last updated on: 2026-05-21

Assigner: EEF

Description
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process. This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-47068
EUVD
EUVD-2026-31111
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phenixdigital phoenix_storybook From 0.4.0 (inc) to 1.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47068 is an Authorization Bypass vulnerability in the phenixdigital phoenix_storybook library affecting versions 0.4.0 to before 1.1.0. The issue arises because the PhoenixStorybook.Story.ComponentIframeLive.handle_params/3 function reads a PubSub topic directly from a URL query parameter named "topic" without verifying that the topic belongs to the requesting session.

An attacker can craft a URL with a malicious "topic" parameter that points to a victim's session topic. When the victim loads this URL, their playground LiveView sends private control messages (such as variation state, theme switches, and extra assigns) to the attacker's iframe process instead of the intended recipient. This allows cross-session PubSub topic injection and unauthorized interception of messages.

Detection Guidance

This vulnerability involves an attacker exploiting a URL query parameter "topic" to inject a PubSub topic and hijack communication between the playground and iframe. Detection would involve monitoring for unusual or unauthorized URL requests to the /storybook/iframe/<story> endpoint containing suspicious or unexpected "topic" query parameters.

Since the vulnerability is related to URL query parameters and PubSub topic injection, you can detect attempts by inspecting web server logs or network traffic for requests to the iframe URL with the "topic" parameter set to values that do not belong to the requesting session.

Specific commands are not provided in the available resources, but general approaches include:

  • Using web server log analysis tools (e.g., grep) to search for requests containing the "topic" parameter in the iframe URL.
  • Monitoring network traffic with tools like tcpdump or Wireshark for suspicious URL query parameters targeting the /storybook/iframe/ endpoint.
  • Implementing application-level logging to record and alert on unexpected or unauthorized topic values in requests.
Mitigation Strategies

The vulnerability can be mitigated by applying the fix introduced in commit 6ee03f1c738d4436dde1b066cf65c80663d489f5, which replaces the insecure raw "topic" query parameter with a signed playground token system.

  • Upgrade phoenix_storybook to version 1.1.0 or later where the fix is implemented.
  • Ensure that iframe URLs use a signed playground token generated server-side with Phoenix.Token, which is verified before broadcasting messages.
  • Reject any requests with raw or invalid topic parameters to prevent unauthorized topic injection.
  • Alternatively, nest the iframe LiveView under the playground LiveView to remove the broadcast-based discovery mechanism.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability allows an unauthenticated attacker to hijack communication between a victim's playground and iframe by injecting a malicious PubSub topic via a URL parameter.

  • Cross-session information leak: Sensitive messages like variation state, theme changes, and developer-assigned data can be redirected to the attacker.
  • Unauthorized access: The attacker can receive private control messages intended only for the victim's session.
  • Potential manipulation: By receiving these messages, the attacker might influence or observe the victim's session state.

The vulnerability requires no authentication or special privileges, only knowledge or guessing of the victim's topic and access to the iframe URL.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47068. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart