PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47068 phenixdigital CVE debrief

CVE-2026-47068 describes an authorization bypass in ph enixdigital phoenix_storybook where a user-controlled URL query parameter lets one iframe announce its PID on another session’s PubSub topic. In affected versions, that can cause a victim playground to direct subsequent control messages to the attacker’s iframe process instead of its own.

Vendor
phenixdigital
Product
phoenix_storybook
CVSS
LOW 2.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-21
Advisory published
2026-05-20
Advisory updated
2026-05-21

Who should care

Teams using phoenix_storybook in development, staging, or internal demo environments, especially setups that rely on shared Phoenix.PubSub coordination between a Storybook playground LiveView and its iframe.

Technical summary

According to the CNA description, Elixir.PhoenixStorybook.Story.ComponentIframeLive.handle_params/3 reads params["topic"] and broadcasts {:component_iframe_pid, self()} on that topic without verifying that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with iframes, so a cross-session topic mismatch can make a victim playground send its private control messages to an attacker-controlled iframe process. The affected range is phoenix_storybook 0.4.0 through versions before 1.1.0.

Defensive priority

Low to medium; the NVD record rates it LOW, but it can still matter in shared internal Storybook deployments where iframe routing is trusted for UI control.

Recommended defensive actions

  • Upgrade phoenix_storybook to 1.1.0 or later.
  • Treat iframe topic values as untrusted input and bind them server-side to the current session or playground instance.
  • Add server-side checks so a LiveView only accepts PubSub topics it issued for that session.
  • Review any code paths that use the iframe PID to send follow-up messages and confirm the destination cannot be cross-session hijacked.
  • Validate the upstream fix by comparing your deployed version against the referenced advisory and commit.

Evidence notes

The CNA/NVD description states that handle_params/3 reads the PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} without checking topic ownership. It also states that the shared PhoenixStorybook.PubSub connects playground LiveViews with their iframes, so the victim playground can be pointed at the attacker’s iframe PID. The supplied metadata lists the affected range as 0.4.0 before 1.1.0, CWE-639, and a low-severity CVSS record; NVD also marked the vulnStatus as Deferred at ingestion time.

Official resources

Publicly disclosed on 2026-05-20T14:17:01.557Z. The supplied CVE and source timestamps match the disclosure window, and the NVD source item shows vulnStatus Deferred when ingested.