Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.
'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex reads a PubSub topic directly from params["topic"] and broadcasts {:componentiframepid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process.
This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "8c2c97b0f505780fee4069988bf86736f51d35d7"
},
{
"fixed": "6ee03f1c738d4436dde1b066cf65c80663d489f5"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47068.json",
"cna_assigner": "EEF",
"cwe_ids": [
"CWE-639"
]
}