Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Network API reachable with low complexity, but a valid low-privilege member account is required (PR:L); no data disclosure (C:N), high integrity from rewriting/deleting others' data (I:H), limited availability loss (A:L).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on note id and project id, while dashboards.update_widget and dashboards.remove_widget filtered only on dashboard id and widget id, allowing any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards.
AnalysisAI
Broken object-level authorization (IDOR) in OpenReplay 1.27.0 and earlier lets any authenticated project member tamper with other users' private data: the notes.delete, dashboards.update_widget, and dashboards.remove_widget backend functions omit the ownership predicate their sibling read/edit functions enforce, so they act on any note or widget matching only an id and project/dashboard id. An authenticated low-privilege member can delete another user's private session notes and remove or rewrite widgets on another user's private dashboards. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated OpenReplay account that is a member of the same project as the victim (CVSS PR:L confirms authentication is needed; this is not unauthenticated). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L, base 7.1) is internally consistent with the description: network-reachable API, low complexity, requires an authenticated low-privilege account (PR:L), no user interaction, no confidentiality impact, high integrity impact (widgets can be rewritten/removed, notes deleted) and low availability impact (loss of specific records). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An analyst who is a low-privilege member of a shared OpenReplay project authenticates normally, then calls the dashboards.update_widget or dashboards.remove_widget API with a colleague's dashboard/widget id (or notes.delete with another user's note id), which the backend executes without checking ownership. The attacker silently rewrites or deletes another user's private dashboard widgets and notes; no user interaction or elevated privileges are required, though a valid member account and knowledge or enumeration of target resource ids is needed. |
| Remediation | Upgrade to the fixed OpenReplay release published in vendor advisory GHSA-9xfv-p2fx-vmx9 (https://github.com/openreplay/openreplay/security/advisories/GHSA-9xfv-p2fx-vmx9); the advisory documents the fix but the provided data does not name an exact patched version number, so confirm the target release directly from that advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Review project membership and permissions; audit API logs for suspicious delete/modification activity on notes and dashboards; identify high-sensitivity projects requiring immediate access restrictions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openreplay
View allSQL injection in OpenReplay session replay before 1.20.0.
Stored cross-site scripting in OpenReplay 1.24.0 through versions before 1.25.0 allows an unauthenticated attacker holdi
OpenReplay is a self-hosted session replay suite. Rated low severity (CVSS 3.5), this vulnerability is remotely exploita
Cross-tenant information disclosure in OpenReplay's self-hosted session-replay backend (versions 1.22.0 through 1.26.x)
SQL injection in OpenReplay's enterprise session search and analytics API allows an authenticated member to exfiltrate a
Cross-tenant Insecure Direct Object Reference (IDOR) in OpenReplay Enterprise Edition allows any authenticated user from
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43031