DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27148: Storybook Ending: Dev Server RCE via WebSocket Hijacking

#security #cve #cybersecurity

Storybook Ending: Dev Server RCE via WebSocket Hijacking

Vulnerability ID: CVE-2026-27148
CVSS Score: 8.9
Published: 2026-02-26

A critical flaw in the Storybook development server allows attackers to hijack the WebSocket connection from a malicious website via Cross-Site WebSocket Hijacking (CSWSH). Because the server failed to validate the Origin header or require authentication, a drive-by attack can silently connect to a developer's local instance, overwrite files, and achieve Remote Code Execution (RCE) on the developer's machine.

TL;DR

Storybook's dev server left its WebSocket door wide open. If a developer visits a malicious site while Storybook is running, the site can hijack the connection (CSWSH), write malicious files to the local disk, and trigger RCE. Patch immediately to versions 7.6.23+, 8.6.17+, 9.1.19+, or 10.2.10+.

⚠️ Exploit Status: POC

Technical Details

  • Attack Vector: Network (Drive-By)
  • CVSS v4.0: 8.9 (High)
  • CWE: CWE-74 / CWE-79
  • Impact: RCE / Persistent XSS
  • Exploit Status: PoC Available
  • Component: ServerChannelTransport

Affected Systems

  • Storybook Dev Server (< 7.6.23)
  • Storybook Dev Server (8.1.0 - < 8.6.17)
  • Storybook Dev Server (9.0.0 - < 9.1.19)
  • Storybook Dev Server (10.0.0 - < 10.2.10)
  • Storybook: < 7.6.23 (Fixed in: 7.6.23)
  • Storybook: 8.1.0 - < 8.6.17 (Fixed in: 8.6.17)
  • Storybook: 9.0.0 - < 9.1.19 (Fixed in: 9.1.19)
  • Storybook: 10.0.0 - < 10.2.10 (Fixed in: 10.2.10)

Code Analysis

Commit: 54689a8

Core: Fix WebSocket security vulnerability

server.on('upgrade', ... if (!isValidToken(requestToken)) socket.destroy(); ...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Token-based authentication for WebSocket connections
  • Strict Origin validation (though token auth is preferred for local dev tools)
  • Network isolation of development environments

Remediation Steps:

  1. Identify the current Storybook version using npm list storybook or checking package.json.
  2. Update to the nearest patched version (e.g., npm install storybook@latest).
  3. Verify the fix by checking network traffic in DevTools; ensure WebSocket upgrades now include a ?token= parameter.
  4. Restart the development server to generate a new secure token.

References

Read the full report for CVE-2026-27148 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)