'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process.
This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-mrhx-6pw9-q5fh | PhoenixStorybook has cross-session PubSub topic injection via URL parameter |
Thu, 21 May 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 20 May 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process. This issue affects phoenix_storybook from 0.4.0 before 1.1.0. | |
| Title | Cross-session PubSub topic injection via URL parameter in phoenix_storybook | |
| First Time appeared |
Phenixdigital
Phenixdigital phoenix Storybook |
|
| Weaknesses | CWE-639 | |
| CPEs | cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Phenixdigital
Phenixdigital phoenix Storybook |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: EEF
Published:
Updated: 2026-05-27T15:41:37.339Z
Reserved: 2026-05-18T17:28:08.321Z
Link: CVE-2026-47068
Updated: 2026-05-21T13:59:42.850Z
Status : Deferred
Published: 2026-05-20T14:17:01.557
Modified: 2026-06-17T10:54:17.397
Link: CVE-2026-47068
No data.
OpenCVE Enrichment
Updated: 2026-05-21T08:19:14Z
Github GHSA