CVE-2026-47068: Authorization Bypass via Cross-Session PubSub Topic Injection in phoenix_storybook

The Elixir package phoenix_storybook is an interactive catalog designed to showcase and test Phoenix components. To maintain isolated styling scopes and avoid JavaScript pollution, the application loads component previews within nested <iframe> elements.

To synchronize the UI states (such as configuration variations, color modes, and themes) between the parent playground LiveView and the nested iframe LiveView, the application uses an Elixir-native Phoenix.PubSub server (PhoenixStorybook.PubSub).

The component iframe exposes an attack surface by reading communication parameters directly from the client. Unauthenticated users can exploit this behavior because the application fails to validate the ownership or integrity of these parameters, leading to an authorization bypass.

The root cause is a CWE-639 (Authorization Bypass Through User-Controlled Key) flaw. When the parent LiveView (StoryLive) mounts, it establishes a session-specific PubSub topic based on its process identifier (PID): playground_topic = "playground-#{inspect(self())}".

The parent then references this topic in the query parameters when rendering the iframe: /storybook/iframe/<story_name>?topic=playground-#PID<0.1234.0>.

Inside the iframe, the ComponentIframeLive LiveView extracts this parameter during the handle_params/3 lifecycle stage and immediately broadcasts its own process identifier (PID) to that topic without verifying session ownership. Any client can supply an arbitrary topic string, forcing the iframe process to broadcast itself to that channel.

The vulnerability was fixed in commit 6ee03f1c738d4436dde1b066cf65c80663d489f5 by replacing the plain text topic parameter with a cryptographically signed token generated via Phoenix.Token.

Prior to the patch, the application parsed the raw topic from the URL params and executed PubSub.broadcast!/3:

# VULNERABLE APPROACH
if params["topic"] do
  PubSub.broadcast!(
    PhoenixStorybook.PubSub,
    params["topic"],
    {:component_iframe_pid, self()}
  )
end

The updated implementation extracts a playground_token parameter and verifies it against the application's secure endpoint:

# PATCHED APPROACH
topic = verified_playground_topic(socket, params["playground_token"])
if topic do
  PubSub.broadcast!(
    PhoenixStorybook.PubSub,
    topic,
    {:component_iframe_pid, self()}
  )
end

This cryptographic verification ensures that only tokens signed by the parent application (using the server's secret_key_base) can specify a target communication channel.

Exploitation relies on predicting or intercepting the target victim's parent LiveView PID, which acts as the PubSub topic. In Elixir/BEAM systems, process identifiers are allocated sequentially, making them predictable in environments with low process churn.

An attacker crafts a URL targeting the storybook's iframe endpoint, appending the victim's estimated topic string: https://example.com/storybook/iframe/component?topic=playground-%23PID%3C0.1432.0%3E.

When the attacker loads this URL, their iframe LiveView broadcasts its process identifier (PID) to the victim's topic. The victim's parent LiveView accepts this spoofed PID. As a result, when the victim interacts with the UI, their private states, mock payloads, or theme selections are sent directly to the attacker's iframe process, triggering a cross-session information exposure.

The impact is classified as Low (CVSS 2.3) due to several restrictive prerequisites. The attack does not lead to direct Remote Code Execution (RCE) or complete system compromise. Instead, the consequences are restricted to cross-session information disclosure and unauthorized UI state manipulation.

An attacker can capture private mock variables, custom input attributes, and user-configured states intended only for the victim's display. No persistent changes are made to the database, and there is no direct impact on service availability.

To address this vulnerability, administrators should upgrade phoenix_storybook to version 1.1.0 or higher. This version deprecates the plain topic parameter in favor of signed tokens.

If upgrading immediately is not feasible, implement a manual code patch. Define a cryptographic salt and apply Phoenix.Token.verify/4 on incoming request parameters in lib/phoenix_storybook/live/story/component_iframe_live.ex.

Ensure that your application's secret_key_base is securely configured and rotated regularly, as the patch's cryptographic integrity depends entirely on the secrecy of this key.