Description
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.

'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process.

This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
Published: 2026-05-20
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to override the target PubSub topic used for communication between a playground LiveView and its iframe. By supplying a custom topic in the URL query parameter, the attacker’s iframe registers its process on sensitive, session‑specific topics. The victim playground subsequently sends privileged control messages to the attacker’s iframe, enabling unauthorized manipulation of UI state or theme toggling within the victim’s session. The weakness is an authorization bypass that lets an attacker gain control over a user’s private session through a simple URL trick.

Affected Systems

Products affected are phenixdigital phoenix_storybook versions prior to 1.1.0, including all releases from 0.4.0 up to but not including 1.1.0. The vulnerability is present in the component handling of iframe URLs and is tied to the shared PhoenixStorybook.PubSub used by the playground.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity. Exploitation requires an attacker to provide a crafted URL to a victim; no authentication or privileged access is needed. Since the EPSS score is unavailable, the current exploitation probability is uncertain, but the lack of KEV listing suggests no publicly known actively exploited instances. The risk remains low to moderate, though the convenience of exploitation may encourage malicious use. As the threat vector is a simple URL parameter, the attack can be performed remotely via phishing or malicious links.

Generated by OpenCVE AI on May 20, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to phenixdigital phoenix_storybook version 1.1.0 or later to eliminate the unsecured topic handling.
  • Modify the component that reads the "topic" query parameter to verify that the supplied topic belongs to the current user session before broadcasting.
  • If an immediate upgrade is not feasible, restrict the iframe URL to only allow a controlled list of topic names and eliminate the ability to pass arbitrary values via the query string.

Generated by OpenCVE AI on May 20, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mrhx-6pw9-q5fh PhoenixStorybook has cross-session PubSub topic injection via URL parameter
History

Thu, 21 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process. This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
Title Cross-session PubSub topic injection via URL parameter in phoenix_storybook
First Time appeared Phenixdigital
Phenixdigital phoenix Storybook
Weaknesses CWE-639
CPEs cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*
Vendors & Products Phenixdigital
Phenixdigital phoenix Storybook
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Phenixdigital Phoenix Storybook
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:41:37.339Z

Reserved: 2026-05-18T17:28:08.321Z

Link: CVE-2026-47068

cve-icon Vulnrichment

Updated: 2026-05-21T13:59:42.850Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T14:17:01.557

Modified: 2026-05-21T15:16:28.803

Link: CVE-2026-47068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:19:14Z

Weaknesses