CVE-2026-27148: Storybook Dev Server is Vulnerable to WebSocket Hijacking
The WebSocket functionality in Storybook’s dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted.
References
- github.com/advisories/GHSA-mjf5-7g4m-gx5w
- github.com/storybookjs/storybook
- github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8
- github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685
- github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761
- github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876
- github.com/storybookjs/storybook/releases/tag/v10.2.10
- github.com/storybookjs/storybook/releases/tag/v7.6.23
- github.com/storybookjs/storybook/releases/tag/v8.6.17
- github.com/storybookjs/storybook/releases/tag/v9.1.19
- github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w
- nvd.nist.gov/vuln/detail/CVE-2026-27148
Code Behaviors & Features
Detect and mitigate CVE-2026-27148 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →