# [CRIT] [GHSA / CRITICAL] CVE-2026-8467: PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground

**Source:** GitHub Security Advisories
**Published:** 2026-06-09
**Article:** https://github.com/advisories/GHSA-55hg-8qxv-qj4p

## Threat Profile

PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground

### Summary
An unsafe HEEx template generation vulnerability allows any unauthenticated user to execute arbitrary code on the server. The phoenix_storybook playground accepts user-controlled attribute values over WebSocket and interpolates them unsanitized into a HEEx template that is subsequently compiled and evaluated with full Elixir `Kernel` access.

### Details
The vulnerabil…

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2026-8467`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application
- **T1204.002** — User Execution: Malicious File
- **T1071.001** — Application Layer Protocol: Web Protocols
- **T1059** — Command and Scripting Interpreter
- **T1059.004** — Unix Shell
- **T1059.001** — PowerShell
- **T1071.001** — Web Protocols
- **T1571** — Non-Standard Port
- **T1505.003** — Server Software Component: Web Shell
- **T1518** — Software Discovery

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### Unauthenticated WebSocket / HTTP 101 upgrade to phoenix_storybook playground routes

`UC_75_2` · phase: **delivery** · confidence: **Medium** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstSeen max(_time) as lastSeen from datamodel=Web where (Web.url="*/storybook/*" OR Web.url="*/_storybook*" OR Web.url="*phoenix_storybook*") AND Web.status="101" by Web.src, Web.user_agent, Web.dest, Web.url, Web.status | `drop_dm_object_name(Web)` | where NOT cidrmatch("10.0.0.0/8",src) AND NOT cidrmatch("192.168.0.0/16",src) AND NOT cidrmatch("172.16.0.0/12",src) | sort - lastSeen
```

**Defender KQL:**
```kql
let LookbackPeriod = 7d;
let beamHosts = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName has_any ("beam.smp","erl.exe","erlexec") or InitiatingProcessFileName has_any ("beam.smp","erl.exe","erlexec")
| distinct DeviceName;
DeviceNetworkEvents
| where Timestamp > ago(LookbackPeriod)
| where DeviceName in (beamHosts)
| where ActionType in ("InboundConnectionAccepted","ConnectionInboundAccepted")
| where LocalPort in (4000,4001,4002,4003,4004,5000,8080,8443)   // common Phoenix listening ports
| where RemoteIPType == "Public"
| project Timestamp, DeviceName, RemoteIP, RemotePort, LocalPort, Protocol, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
```

### HEEx / Elixir Kernel injection markers in BEAM-spawned process command line (CVE-2026-8467)

`UC_75_3` · phase: **exploit** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstSeen max(_time) as lastSeen values(Processes.process) as cmd values(Processes.process_name) as child_name from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("beam.smp","erl.exe","erlexec","beam") AND (Processes.process="*System.cmd*" OR Processes.process="*Code.eval*" OR Processes.process="*EEx.compile_string*" OR Processes.process="*Code.eval_quoted*" OR Processes.process="*Kernel.apply*" OR Processes.process="*:os.cmd*") by Processes.dest, Processes.user, Processes.parent_process_name | `drop_dm_object_name(Processes)` | sort - lastSeen
```

**Defender KQL:**
```kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("beam.smp","erl.exe","erlexec","beam")
| where ProcessCommandLine has_any ("System.cmd","Code.eval","EEx.compile_string","Code.eval_quoted","Kernel.apply",":os.cmd","injected={")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath, SHA256
| order by Timestamp desc
```

### BEAM / Erlang VM spawns shell or interpreter child (post-RCE — CVE-2026-8467)

`UC_75_4` · phase: **install** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstSeen max(_time) as lastSeen values(Processes.process) as cmd from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("beam.smp","erl.exe","erlexec","beam") AND Processes.process_name IN ("sh","bash","dash","zsh","ksh","cmd.exe","powershell.exe","pwsh.exe","curl","wget","nc","ncat","socat","python","python3","perl","ruby") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name | `drop_dm_object_name(Processes)` | sort - lastSeen
```

**Defender KQL:**
```kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("beam.smp","erl.exe","erlexec","beam")
| where FileName has_any ("sh","bash","dash","zsh","ksh","cmd.exe","powershell.exe","pwsh.exe","curl","wget","nc","ncat","socat","python","python3","perl","ruby")
| where AccountName !endswith "$"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc
```

### BEAM process outbound to new public destination or non-standard port (post-RCE C2)

`UC_75_5` · phase: **c2** · confidence: **Medium** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstSeen max(_time) as lastSeen from datamodel=Network_Traffic where All_Traffic.app IN ("beam.smp","erl.exe","erlexec","beam") AND All_Traffic.direction="outbound" AND All_Traffic.dest_category!="internal" AND NOT (All_Traffic.dest_port IN (80,443,53,25,587,4369,5432,3306,6379)) by All_Traffic.src, All_Traffic.app, All_Traffic.dest_ip, All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | where NOT cidrmatch("10.0.0.0/8",dest_ip) AND NOT cidrmatch("192.168.0.0/16",dest_ip) AND NOT cidrmatch("172.16.0.0/12",dest_ip) | sort - lastSeen
```

**Defender KQL:**
```kql
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("beam.smp","erl.exe","erlexec","beam")
| where ActionType in ("ConnectionSuccess","ConnectionAttempt")
| where RemoteIPType == "Public"
| where RemotePort !in (80,443,53,25,587,4369,5432,3306,6379)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Hits=count() by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, Protocol
| order by FirstSeen desc
```

### Erlang .beam compiled module dropped to /tmp, /dev/shm, or %TEMP% by BEAM runtime

`UC_75_6` · phase: **install** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstSeen max(_time) as lastSeen values(Filesystem.file_path) as paths from datamodel=Endpoint.Filesystem where Filesystem.process_name IN ("beam.smp","erl.exe","erlexec","beam") AND Filesystem.action="created" AND Filesystem.file_name="*.beam" AND (Filesystem.file_path="*/tmp/*" OR Filesystem.file_path="*/var/tmp/*" OR Filesystem.file_path="*/dev/shm/*" OR Filesystem.file_path="*/run/*" OR Filesystem.file_path="*\\Temp\\*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_name | `drop_dm_object_name(Filesystem)` | sort - lastSeen
```

**Defender KQL:**
```kql
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType in ("FileCreated","FileModified","FileRenamed")
| where FileName endswith ".beam"
| where FolderPath has_any ("/tmp/","/var/tmp/","/dev/shm/","/run/","\\Temp\\","\\AppData\\Local\\Temp\\")
| where InitiatingProcessFileName has_any ("beam.smp","erl.exe","erlexec","beam")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName, SHA256, FileSize
| order by Timestamp desc
```

### Vulnerable phoenix_storybook (>=0.5.0, <1.1.0) software inventory for CVE-2026-8467

`UC_75_7` · phase: **recon** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count values(Filesystem.file_path) as paths from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("mix.lock","mix.exs") by Filesystem.dest, Filesystem.file_name, Filesystem.file_path | `drop_dm_object_name(Filesystem)` | join type=left dest [| search index=* sourcetype="file_content" (file_name=mix.lock OR file_name=mix.exs) "phoenix_storybook" | rex field=_raw "phoenix_storybook[\"\s,:]+\"?(?<ps_version>\d+\.\d+\.\d+)" | eval ps_affected = if(match(ps_version, "^0\.(5|6|7|8|9)\.") OR match(ps_version, "^1\.0\."), "yes", "no") | table dest, ps_version, ps_affected] | where ps_affected="yes" | sort dest
```

**Defender KQL:**
```kql
DeviceTvmSoftwareVulnerabilities
| where CveId =~ "CVE-2026-8467" or (SoftwareName =~ "phoenix_storybook" and SoftwareVersion matches regex @"^(0\.(5|6|7|8|9)\.|1\.0\.)")
| project Timestamp, DeviceName, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate
| order by Timestamp desc
```

### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-8467: PhoenixStorybook: Unauthenticated remote code e

`UC_75_1` · phase: **exploit** · confidence: **High**

**Splunk SPL (CIM):**
```spl
``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-8467: PhoenixStorybook: Unauthenticated remote code e ```
| tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime
    from datamodel=Endpoint.Processes
    where (Processes.process_name IN ("system.cmd"))
    by Processes.dest, Processes.user, Processes.process_name,
       Processes.process, Processes.parent_process_name, Processes.process_path
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| append [
| tstats `summariesonly` count
    from datamodel=Endpoint.Filesystem
    where Filesystem.action IN ("created","modified")
      AND (Filesystem.file_name IN ("system.cmd"))
    by Filesystem.dest, Filesystem.user, Filesystem.process_name,
       Filesystem.file_path, Filesystem.file_name
| `drop_dm_object_name(Filesystem)`
]
```

**Defender KQL:**
```kql
// Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-8467: PhoenixStorybook: Unauthenticated remote code e
// Hunts the actual binaries / paths / commandline fragments named
// in the article instead of a generic technique-class template.
DeviceProcessEvents
| where Timestamp > ago(30d)
| where (FileName in~ ("system.cmd"))
| project Timestamp, DeviceName, AccountName, FileName,
          FolderPath, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

// File-creation events for the named binaries / paths
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType in ("FileCreated","FileModified")
| where (FileName in~ ("system.cmd"))
| project Timestamp, DeviceName, AccountName, FolderPath,
          FileName, ActionType, InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2026-8467`


## Why this matters

Severity classified as **CRIT** based on: CVE present, 8 use case(s) fired, 10 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.