EUVD-2026-32971CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify that the authenticated API key and the requested project belong to the same tenant. Because the public tracker design exposes projectKey to browser-side code, an attacker who owns any valid API key for their own tenant can target another tenant's project by reusing that public projectKey. The vulnerable routes allow the attacker to enumerate victim user sessions and then retrieve sensitive session event data across the tenant boundary. This vulnerability is fixed in 1.26.0.
AnalysisAI
Cross-tenant data exposure in OpenReplay self-hosted session replay suite (versions prior to 1.26.0) allows an attacker holding any valid API key for their own tenant to enumerate sessions and retrieve sensitive session event data belonging to other tenants. The flaw stems from app_apikey routes in the Python API that validate the API key and the existence of a projectKey independently, but never confirm the two belong to the same tenant. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
24 hours: Identify all OpenReplay deployments, document current versions, and assess the sensitivity of captured session data. 7 days: Restrict API endpoint access using network firewalls or Web Application Firewall (WAF) rules; enable comprehensive API request logging with real-time alerts for cross-tenant access attempts. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today