CVE-2026-47068: CVE-2026-47068: Authorization Bypass via Cross-Session PubSub Topic Injection in phoenix_storybook

#security #cve #cybersecurity

CVE-2026-47068: Authorization Bypass via Cross-Session PubSub Topic Injection in phoenix_storybook

Vulnerability ID: CVE-2026-47068
CVSS Score: 2.3
Published: 2026-06-09

A security vulnerability in the Elixir package phoenix_storybook (versions 0.4.0 up to 1.1.0) allows unauthenticated remote attackers to perform cross-session PubSub topic injection. By manipulating URL parameters, an attacker can hijack the real-time communications channel, enabling them to capture user state and control parameters from active sessions.

TL;DR

Unauthenticated remote attackers can hijack active phoenix_storybook sessions by supplying a victim's PubSub topic via URL parameters, leading to potential cross-session state exposure.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-639
Attack Vector: Network
CVSS Score: 2.3 (Low)
EPSS Score: 0.00054
Exploit Status: No active public exploits
KEV Status: Not listed

Affected Systems

phoenix_storybook package for Elixir
phoenix_storybook: >= 0.4.0, < 1.1.0 (Fixed in: 1.1.0)

Code Analysis

Commit: 6ee03f1

Enforce cryptographic verification of playground topics via Phoenix.Token.

Mitigation Strategies

Upgrade phoenix_storybook to version 1.1.0 or higher.
Ensure application endpoint configuration uses a secure, non-default secret_key_base.
Manually verify playground topic strings using Phoenix.Token in custom storybook setups.

Remediation Steps:

Inspect mix.exs to determine the current phoenix_storybook version.
Update the dependency to {:phoenix_storybook, "~> 1.1.0"}.
Run mix deps.get to download and compile the updated package.
Verify deployment by inspecting URL parameters within the storybook playground iframe (should use 'playground_token' instead of 'topic').

References

Read the full report for CVE-2026-47068 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community