CVE-2026-47068

Name of the Vulnerable Software and Affected Versions phoenix storybook versions 0.4.0 through 1.0.x

Description An authorization bypass occurs due to user-controlled keys, allowing cross-session PubSub topic injection via a URL query parameter. The function handle params/3 in Elixir.PhoenixStorybook.Story.ComponentIframeLive reads a PubSub topic directly from the topic parameter and broadcasts the iframe process pid without verifying if the topic belongs to the requesting session. This allows an attacker to load the endpoint '/storybook/iframe/' with a topic parameter belonging to a victim, causing the victim's playground to send private control messages, such as variation state and theme switches, to the attacker's iframe process.

Recommendations Update phoenix storybook to version 1.1.0.