Skip to main content

OpenReplay EUVDEUVD-2026-43031

| CVE-2026-55880 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-10 GitHub_M
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
vuln.today AI
7.1 HIGH

Network API reachable with low complexity, but a valid low-privilege member account is required (PR:L); no data disclosure (C:N), high integrity from rewriting/deleting others' data (I:H), limited availability loss (A:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 21:37 vuln.today

DescriptionCVE.org

OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on note id and project id, while dashboards.update_widget and dashboards.remove_widget filtered only on dashboard id and widget id, allowing any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards.

AnalysisAI

Broken object-level authorization (IDOR) in OpenReplay 1.27.0 and earlier lets any authenticated project member tamper with other users' private data: the notes.delete, dashboards.update_widget, and dashboards.remove_widget backend functions omit the ownership predicate their sibling read/edit functions enforce, so they act on any note or widget matching only an id and project/dashboard id. An authenticated low-privilege member can delete another user's private session notes and remove or rewrite widgets on another user's private dashboards. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege project member
Delivery
Enumerate target note/dashboard/widget ids
Exploit
Call notes.delete or dashboards.update_widget/remove_widget
Execution
Backend runs SQL without ownership check
Impact
Delete or rewrite victim's private notes and widgets

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated OpenReplay account that is a member of the same project as the victim (CVSS PR:L confirms authentication is needed; this is not unauthenticated). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L, base 7.1) is internally consistent with the description: network-reachable API, low complexity, requires an authenticated low-privilege account (PR:L), no user interaction, no confidentiality impact, high integrity impact (widgets can be rewritten/removed, notes deleted) and low availability impact (loss of specific records). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An analyst who is a low-privilege member of a shared OpenReplay project authenticates normally, then calls the dashboards.update_widget or dashboards.remove_widget API with a colleague's dashboard/widget id (or notes.delete with another user's note id), which the backend executes without checking ownership. The attacker silently rewrites or deletes another user's private dashboard widgets and notes; no user interaction or elevated privileges are required, though a valid member account and knowledge or enumeration of target resource ids is needed.
Remediation Upgrade to the fixed OpenReplay release published in vendor advisory GHSA-9xfv-p2fx-vmx9 (https://github.com/openreplay/openreplay/security/advisories/GHSA-9xfv-p2fx-vmx9); the advisory documents the fix but the provided data does not name an exact patched version number, so confirm the target release directly from that advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Review project membership and permissions; audit API logs for suspicious delete/modification activity on notes and dashboards; identify high-sensitivity projects requiring immediate access restrictions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy