A WebSocket hijacking vulnerability (CVE-2026-27148) in Storybook's dev server allows attackers to write arbitrary JavaScript into story source files. The WebSocket endpoint at /storybook-server-channel has no authentication, origin validation, or access control. Attackers can send crafted messages to inject code into generated story files via unsanitized componentFilePath or componentExportName fields. For publicly exposed dev servers, exploitation requires no user interaction. For local instances, a developer visiting a malicious page triggers the attack. The injected payload persists on disk, can be committed to version control, and escalates to RCE when test runners like Vitest execute the story files in Node.js. This enables credential exfiltration, filesystem access, and CI/CD pipeline compromise. Patched versions are 7.6.23, 8.6.17, 9.1.19, and 10.2.10.
Table of contents
The vulnerabilityThe attack: from web socket message to code injectionEscalation: From XSS to RCEThe supply chain angleBrowser protectionsRemediationTimelineSort: