Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.9
Storybook Dev Server WebSocket Hijacking Risk
CVE-2026-27148
GHSA-mjf5-7g4m-gx5w
Summary
If you're using an older version of Storybook's dev server, a hacker could potentially take control of your local development environment by sending malicious messages to your computer. This is a risk if you're sharing your dev server publicly, but it's not a concern if it's only accessible from your local machine. Update to the latest version of Storybook to fix the issue.
What to do
- Update GitHub Actions storybook to version 8.6.17.
- Update GitHub Actions storybook to version 9.1.19.
- Update GitHub Actions storybook to version 10.2.10.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | storybook | > 8.1.0 , <= 8.6.17 | 8.6.17 |
| GitHub Actions | storybook | > 8.7.0-alpha.0 , <= 9.1.19 | 9.1.19 |
| GitHub Actions | storybook | > 10.0.0-beta.0 , <= 10.2.10 | 10.2.10 |
| storybook | storybook | <= 7.6.23 | – |
| storybook | storybook | > 8.1.0 , <= 8.6.17 | – |
| storybook | storybook | > 9.0.0 , <= 9.1.19 | – |
| storybook | storybook | > 10.0.0 , <= 10.2.10 | – |
Original title
Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev...
Original description
Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.
nvd CVSS4.0
8.9
Vulnerability type
CWE-74
Injection
CWE-79
Cross-site Scripting (XSS)
CWE-1385
- https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104...
- https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc6775...
- https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea9...
- https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c186...
- https://github.com/storybookjs/storybook/releases/tag/v10.2.10
- https://github.com/storybookjs/storybook/releases/tag/v7.6.23
- https://github.com/storybookjs/storybook/releases/tag/v8.6.17
- https://github.com/storybookjs/storybook/releases/tag/v9.1.19
- https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w
- https://nvd.nist.gov/vuln/detail/CVE-2026-27148
- https://github.com/advisories/GHSA-mjf5-7g4m-gx5w
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026