Description
Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.
Published: 2026-02-25
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

Storybook’s development server accepts WebSocket connections without validating the connection’s origin. This omission enables an attacker to hijack the local server by visiting a malicious website, or, if the server is publicly exposed, by directly connecting without authorization. The hijacked connection can send crafted messages containing unsanitized input to the componentFilePath field of story creation or saving endpoints. The unsafe handling of this field allows injection that can lead to persistent cross‑site scripting or, in some cases, remote code execution against the machine running the dev server.

Affected Systems

The vulnerability affects Storybook versions earlier than 7.6.23, 8.6.17, 9.1.19, and 10.2.10. These releases are hosted on node.js environments and are commonly used by front‑end developers for local prototype and design‑review sessions.

Risk and Exploitability

The likely attack vector is deduced from the description; the attacker may hijack the dev server by visiting a malicious site while the server is running, or, if the dev server is exposed publicly, directly connect without needing the developer to visit a site. The CVSS score of 8.9 categorizes the flaw as high severity, while the EPSS score of less than 1% indicates a low probability of exploitation at the present time. It is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. If the dev server is inadvertently exposed to the public internet, the risk rises significantly as the attacker can connect without needing to compromise the developer’s machine directly.

Generated by OpenCVE AI on April 18, 2026 at 10:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Storybook to version 7.6.23, 8.6.17, 9.1.19, or 10.2.10 or later, ensuring the WebSocket origin validation fix is applied.
  • If an upgrade cannot be made immediately, restrict access to the dev server to the local loopback interface or a secure internal network segment, and prevent public exposure during development.
  • Disable or remove the WebSocket service from the dev server configuration until a patch is available, thereby preventing hijacking of the connection by malicious sites.

Generated by OpenCVE AI on April 18, 2026 at 10:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mjf5-7g4m-gx5w Storybook Dev Server is Vulnerable to WebSocket Hijacking
History

Tue, 10 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Storybook
Storybook storybook
CPEs cpe:2.3:a:storybook:storybook:*:*:*:*:*:node.js:*:*
Vendors & Products Storybook
Storybook storybook
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H'}

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Storybookjs
Storybookjs storybook
Vendors & Products Storybookjs
Storybookjs storybook

Thu, 26 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H'}

threat_severity

Important

Wed, 25 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.
Title Storybook Dev Server Vulnerable to WebSocket Hijacking
Weaknesses CWE-74
CWE-79
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Storybook Storybook
Storybookjs Storybook
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:26:14.136Z

Reserved: 2026-02-18T00:18:53.961Z

Link: CVE-2026-27148

cve-icon Vulnrichment

Updated: 2026-02-26T20:26:08.712Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T22:16:25.317

Modified: 2026-03-10T19:21:01.867

Link: CVE-2026-27148

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-25T21:46:48Z

Links: CVE-2026-27148 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses