Thanks for the quick fix, but I feel that the framing here significantly undersells this.
I tested /storybook on a default instance and it's wide open, no auth. And it seems that it gives arbitrary code execution as the app's system user via the websocket. Is it related to CVE-2026-8467 / GHSA-55hg-8qxv-qj4p? If so, the affected dependency was shipped in the CE image since v3 (more than a year of releases).
Honestly, I feel lucky that I randomly came across this release and upgraded my instance quickly. Anyone who isn't watching this repo has almost no way to know they're running an unauthenticated RCE.
I have a few concerns about it:
-
No CVE / GitHub Security Advisory. Posted inside a release description, this won't surface in automated security scanners. Feels like an unauthenticated RCE warrants a bit more than a release note.
-
"under certain conditions" / "untrusted network". Self-hosted Plausible is public-facing by design, and
/storybookwas reachable unauthenticated. Saying this only applies under certains conditions really undersell the potency of this vulnerability. -
No compromise guidance. This was exploitable for a bit more than a year. Anyone whose
/storybookwas reachable should assume possible breach: rotate secrets/DB creds and check logs for unexpected/storybookaccess. Some IOCs would help.
Removing the route was definitely the right call, but please publish a proper GHSA/CVE, link the upstream advisory (if it's the same one), and add compromise-assessment steps so self-hosters who don't watch this repo find out in time.