Skip to main content

OpenReplay CVE-2026-57230

| EUVDEUVD-2026-43035 MEDIUM
SQL Injection (CWE-89)
2026-07-10 GitHub_M
5.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.4 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L
vuln.today AI
7.1 HIGH

Network API injection requiring only authenticated member access; AC:L because injection conditions are straightforward; UI:N because no victim interaction is needed; C:H for arbitrary table read; A:L for persistent search disruption.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 22:07 vuln.today
Patch available
Jul 10, 2026 - 22:02 EUVD

DescriptionCVE.org

OpenReplay is a self-hosted session replay suite. Prior to 1.27.0, the session search and analytics API in enterprise editions with multi-tenancy enabled built ClickHouse queries by inserting user input into the query string, including two positions that took input without escaping, allowing an authenticated member to read any ClickHouse table through blind boolean and time-based exfiltration and to break the project's session search for all viewers until the stored key is removed. This issue is fixed in version 1.27.0.

AnalysisAI

SQL injection in OpenReplay's enterprise session search and analytics API allows an authenticated member to exfiltrate arbitrary ClickHouse table data and disrupt session search for all project viewers. Affected are enterprise editions with multi-tenancy enabled, running versions prior to 1.27.0, where user-controlled input is inserted unsanitized into ClickHouse query strings at two positions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege member
Delivery
Target session search API endpoint
Exploit
Inject ClickHouse SQL into unescaped parameter
Execution
Execute blind boolean or time-based inference queries
Impact
Exfiltrate arbitrary ClickHouse table contents

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) a valid authenticated account at member privilege level on the target OpenReplay instance (CVSS PR:L confirmed), (2) the target must be running the enterprise edition - the community edition is not described as affected, (3) multi-tenancy must be explicitly enabled in the enterprise configuration - this is not a default in all deployments and must be operator-configured. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS score of 5.4 (Medium) reflects the combination of meaningful confidentiality impact (C:H - arbitrary ClickHouse table reads) tempered by requiring low privileges (PR:L), high attack complexity (AC:H), and user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid low-privilege member account on an OpenReplay enterprise instance with multi-tenancy enabled submits crafted payloads to the session search API endpoint, injecting ClickHouse SQL into one of the two unescaped parameters. Using blind time-based or boolean inference techniques - sending sequences of conditional queries and observing response timing or result changes - the attacker systematically extracts data character-by-character from sensitive ClickHouse tables such as user session records or cross-tenant analytics data. …
Remediation Upgrade to OpenReplay version 1.27.0, which contains the fix per the official release at https://github.com/openreplay/openreplay/releases/tag/v1.27.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57230 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy