v3.2.1

[cnkk]

Security related update

This patch release fixes a security vulnerability affecting the following versions of Plausible Community Edition (image: ghcr.io/plausible/community-edition):
Tags:

• v3.2
• v3.2.0
• v3
• v3.2.0-rc.0
• v3.1
• v3.1.0
• v3.1.0-rc.1
• v3.1.0-rc.0
• v3.0.1
• v3.0
• v3.0.0
• v3.0.0-rc.6
• v3.0.0-rc.5
• v3.0.0-rc.4
• v3.0.0-rc.3
• v3.0.0-rc.2
• v3.0.0-rc.1
• v3.0.0-rc.0

The affected versions expose a HTTP "/storybook" endpoint which, under certain conditions, allows remote code execution with privileges of system user running the application.

This release v3.2.1 of Plausible Community Edition completely removes that endpoint.

Who is affected?

All deployments of Plausible Community Edition running the following versions:

• v3.2
• v3.2.0
• v3
• v3.2.0-rc.0
• v3.1
• v3.1.0
• v3.1.0-rc.1
• v3.1.0-rc.0
• v3.0.1
• v3.0
• v3.0.0
• v3.0.0-rc.6
• v3.0.0-rc.5
• v3.0.0-rc.4
• v3.0.0-rc.3
• v3.0.0-rc.2
• v3.0.0-rc.1
• v3.0.0-rc.0

where HTTP "/storybook" endpoint is exposed to a public or other untrusted network.

Mitigation

All affected versions of Plausible Community Edition should be updated to v3.2.1 as soon as possible.

As an immediate mitigation, it is recommended to block access to HTTP "/storybook" endpoint in your reverse proxy configuration or via other applicable means.

Changes in this release

• Remove HTTP "/storybook" endpoint along with the associated logic

No other changes are included in this release.

---

This discussion was created from the release v3.2.1.

[Calyhre]

Thanks for the quick fix, but I feel that the framing here significantly undersells this.

I tested /storybook on a default instance and it's wide open, no auth. And it seems that it gives arbitrary code execution as the app's system user via the websocket. Is it related to CVE-2026-8467 / GHSA-55hg-8qxv-qj4p? If so, the affected dependency was shipped in the CE image since v3 (more than a year of releases).

Honestly, I feel lucky that I randomly came across this release and upgraded my instance quickly. Anyone who isn't watching this repo has almost no way to know they're running an unauthenticated RCE.

I have a few concerns about it:

1. No CVE / GitHub Security Advisory. Posted inside a release description, this won't surface in automated security scanners. Feels like an unauthenticated RCE warrants a bit more than a release note.

2. "under certain conditions" / "untrusted network". Self-hosted Plausible is public-facing by design, and /storybook was reachable unauthenticated. Saying this only applies under certains conditions really undersell the potency of this vulnerability.

3. No compromise guidance. This was exploitable for a bit more than a year. Anyone whose /storybook was reachable should assume possible breach: rotate secrets/DB creds and check logs for unexpected /storybook access. Some IOCs would help.

Removing the route was definitely the right call, but please publish a proper GHSA/CVE, link the upstream advisory (if it's the same one), and add compromise-assessment steps so self-hosters who don't watch this repo find out in time.

[Calyhre]

Quick follow up because I got curious where this could lead and dug a bit: It's pretty straight forward to get a complete system access with a default setup of community edition, completely unauthenticated.

There seems to be ~1758 instances publicly available (checked via Shodan and CE favicon hash).