{"id":"EEF-CVE-2026-47068","summary":"Cross-session PubSub topic injection via URL parameter in phoenix_storybook","details":"## Summary\n\nAuthorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.\n\n'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params[\"topic\"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/\u003cstory\u003e?topic=\u003cvictim_topic\u003e causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process.\n\nThis issue affects phoenix_storybook from 0.4.0 before 1.1.0.","aliases":["CVE-2026-47068","GHSA-mrhx-6pw9-q5fh"],"modified":"2026-05-20T13:56:23.111680394Z","published":"2026-05-20T13:35:33.215Z","database_specific":{"capec_ids":["CAPEC-12"],"cpe_ids":["cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-639"]},"references":[{"type":"ADVISORY","url":"https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-47068.html"},{"type":"FIX","url":"https://github.com/phenixdigital/phoenix_storybook/commit/6ee03f1c738d4436dde1b066cf65c80663d489f5"},{"type":"PACKAGE","url":"https://hex.pm/packages/phoenix_storybook"}],"affected":[{"package":{"name":"phoenix_storybook","ecosystem":"Hex","purl":"pkg:hex/phoenix_storybook"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.4.0"},{"fixed":"1.1.0"}]}],"versions":["0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.5.7","0.6.0","0.6.1","0.6.2","0.6.3","0.6.4","0.7.0","0.7.1","0.7.2","0.8.0","0.8.1","0.8.2","0.8.3","0.9.0","0.9.1","0.9.2","0.9.3","1.0.0"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-47068.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/phenixdigital/phoenix_storybook","events":[{"introduced":"8c2c97b0f505780fee4069988bf86736f51d35d7"},{"fixed":"6ee03f1c738d4436dde1b066cf65c80663d489f5"}]}],"versions":["v1.0.0","v0.9.3","v0.9.2","v0.9.1","v0.9.0","v0.8.3","v0.8.1","v0.7.2","v0.7.1","v0.7.0","v0.6.4","v0.6.3","v0.6.2","v0.6.1","v0.6.0","v0.5.7","v0.5.6","v0.5.5","v0.5.4","v0.5.3","v0.5.2","v0.5.1","v0.5.0","v0.4.5","v0.4.4","v0.4.3","v0.4.2","v0.4.1","v0.4.0"],"database_specific":{"source":"https://cna.erlef.org/osv/EEF-CVE-2026-47068.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Christian Blavier","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen","type":"ANALYST"}]}