CVE-2026-47068
published 2026-05-20CVE-2026-47068: Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query…
PriorityP415low2.3CVSS 4.0
AVNACLATPPRNUIPVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.45%
35.8th percentile
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.
'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/?topic= causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process.
This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phenixdigital | phoenix_storybook | >= 0.4.0 < 1.1.0 | 1.1.0 |
| phenixdigital | phoenix_storybook | >= 0.4.0 < 1.1.0 | 1.1.0 |
| phenixdigital | phoenix_storybook | >= 8c2c97b0f505780fee4069988bf86736f51d35d7 < 6ee03f1c738d4436dde1b066cf65c80663d489f5 | 6ee03f1c738d4436dde1b066cf65c80663d489f5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PhoenixStorybook has cross-session PubSub topic injection via URL parameter
ghsa·2026-06-09
CVE-2026-47068 [LOW] CWE-639 PhoenixStorybook has cross-session PubSub topic injection via URL parameter
PhoenixStorybook has cross-session PubSub topic injection via URL parameter
### Summary
The storybook iframe LiveView accepts a PubSub topic from the URL query string and broadcasts its own pid onto that topic with no check that the topic belongs to the current session. Any unauthenticated visitor who knows or guesses another user's playground topic can hijack the playground↔iframe handshake, causing the victim's playground to send its control messages to an attacker-controlled iframe process — a cross-session information leak.
Likely introduced in https://github.com/phenixdigital/phoenix_storybook/commit/8c2c97b0f505780fee4069988bf86736f51d35d7
### Details
`PhoenixStorybook.Story.ComponentIframeLive.handle_params/3` (lib/phoenix_storybook/live/story/component_iframe_live.ex:24-30) take
VulDB
phenixdigital phoenix_storybook up to 1.0.x Control Message component_iframe_live.ex Query authorization
vuldb·2026-05-20·CVSS 2.3
CVE-2026-47068 [LOW] phenixdigital phoenix_storybook up to 1.0.x Control Message component_iframe_live.ex Query authorization
A vulnerability was found in phenixdigital phoenix_storybook up to 1.0.x and classified as critical. Impacted is an unknown function in the library lib/phoenix_storybook/live/story/component_iframe_live.ex of the component Control Message Handler. Such manipulation of the argument Query leads to authorization bypass.
This vulnerability is documented as CVE-2026-47068. The attack can be executed remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cna.erlef.org/cves/CVE-2026-47068.htmlhttps://github.com/phenixdigital/phoenix_storybook/commit/6ee03f1c738d4436dde1b066cf65c80663d489f5https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fhhttps://osv.dev/vulnerability/EEF-CVE-2026-47068https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh
2026-05-20
Published