CVE-2026-47068: CVE-2026-47068: Authorization Bypass via Cross-Session PubSub Topic Injection in phoenix_storybook

CVSS Score: 2.3 Published: 2026-06-09 Full Report: https://cvereports.com/reports/CVE-2026-47068

Summary

A security vulnerability in the Elixir package phoenix_storybook (versions 0.4.0 up to 1.1.0) allows unauthenticated remote attackers to perform cross-session PubSub topic injection. By manipulating URL parameters, an attacker can hijack the real-time communications channel, enabling them to capture user state and control parameters from active sessions.

TL;DR

Unauthenticated remote attackers can hijack active phoenix_storybook sessions by supplying a victim's PubSub topic via URL parameters, leading to potential cross-session state exposure.

Exploit Status: POC

Technical Details

CWE ID: CWE-639
Attack Vector: Network
CVSS Score: 2.3 (Low)
EPSS Score: 0.00054
Exploit Status: No active public exploits
KEV Status: Not listed

Affected Systems

phoenix_storybook package for Elixir
phoenix_storybook: >= 0.4.0, < 1.1.0 (Fixed in: 1.1.0)

Mitigation

Upgrade phoenix_storybook to version 1.1.0 or higher.
Ensure application endpoint configuration uses a secure, non-default secret_key_base.
Manually verify playground topic strings using Phoenix.Token in custom storybook setups.

Remediation Steps:

Inspect mix.exs to determine the current phoenix_storybook version.
Update the dependency to {:phoenix_storybook, "~> 1.1.0"}.
Run mix deps.get to download and compile the updated package.
Verify deployment by inspecting URL parameters within the storybook playground iframe (should use 'playground_token' instead of 'topic').

References

Generated by CVEReports - Automated Vulnerability Intelligence

alon710/CVE-2026-47068.md

Select an option

No results found