Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify that the authenticated API key and the requested project belong to the same tenant. Because the public tracker design exposes projectKey to browser-side code, an attacker who owns any valid API key for their own tenant can target another tenant's project by reusing that public projectKey. The vulnerable routes allow the attacker to enumerate victim user sessions and then retrieve sensitive session event data across the tenant boundary. This vulnerability is fixed in 1.26.0.
AnalysisAI
Cross-tenant data exposure in OpenReplay self-hosted session replay suite (versions prior to 1.26.0) allows an attacker holding any valid API key for their own tenant to enumerate sessions and retrieve sensitive session event data belonging to other tenants. The flaw stems from app_apikey routes in the Python API that validate the API key and the existence of a projectKey independently, but never confirm the two belong to the same tenant. No public exploit identified at time of analysis, though the trivial nature of the abuse (substituting a browser-visible projectKey) makes weaponization straightforward.
Technical ContextAI
OpenReplay is an open-source, self-hosted session replay platform whose Python API services serve as the authorization layer for replay and analytics endpoints. The CPE cpe:2.3:a:openreplay:openreplay covers all versions prior to 1.26.0. The root cause maps to CWE-284 (Improper Access Control): the app_apikey-prefixed routes accept a caller-supplied projectKey, validate that the API key is well-formed and that the projectKey exists in the database, but never enforce that the two share a tenant/organization scope. Because projectKey is intentionally embedded in the public JavaScript tracker shipped to end-user browsers, it is treated as a public identifier - yet the API treats possession of a valid API key plus knowledge of a projectKey as sufficient authorization, collapsing the multi-tenant boundary.
RemediationAI
Vendor-released patch: upgrade to OpenReplay 1.26.0 or later, which adds tenant-scope verification between the authenticated API key and the requested projectKey; details are in the advisory at https://github.com/openreplay/openreplay/security/advisories/GHSA-8wmc-vpmf-cjf5. If an immediate upgrade is not possible, operators of multi-tenant deployments should restrict network access to the Python API so that only trusted tenants or internal services can reach the app_apikey routes (trade-off: breaks legitimate third-party API integrations), rotate API keys and treat any cross-tenant projectKey access in logs as suspicious, and consider running each tenant in an isolated deployment until patched (trade-off: operational overhead). Single-tenant deployments face limited exposure but should still patch.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32971