Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable IDOR needing only a low-privilege account (PR:L, AC:L, UI:N); confidentiality set to Low because exposure is bounded to the first 15 seconds per session, with no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenReplay is a self-hosted session replay suite. From 1.22.0 before 1.27.0, getFirstMob returned 15-second presigned S3 download URLs for a session's DOM-replay recording based solely on the session path parameter, while validateProjectAccess checked only that the project belonged to the requester's tenant and did not verify that the session belonged to that project, allowing any authenticated low-privilege user to read another tenant's first 15 seconds of session-replay recording data. This issue is fixed in version 1.27.0.
AnalysisAI
Cross-tenant information disclosure in OpenReplay's self-hosted session-replay backend (versions 1.22.0 through 1.26.x) lets any authenticated low-privilege user retrieve the first 15 seconds of another tenant's DOM session-replay recording. The getFirstMob endpoint issued a 15-second presigned S3 URL keyed only on a user-supplied session path, while validateProjectAccess confirmed project-to-tenant ownership but never confirmed that the requested session actually belonged to that project, breaking multi-tenant isolation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid authenticated account on a shared, multi-tenant OpenReplay deployment (CVSS PR:L confirms low-privilege authentication is needed - this is not unauthenticated), plus knowledge or enumeration of another tenant's session identifiers passed as the session path parameter to getFirstMob. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H) describes a network-reachable, low-complexity, low-privilege bug requiring no user interaction - meaning any ordinary authenticated user can exploit it reliably, which raises practical concern despite the modest 7.1 base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or already holds a low-privilege account on a shared multi-tenant OpenReplay instance, then calls the getFirstMob endpoint substituting session identifiers belonging to other tenants. The server returns a valid 15-second presigned S3 URL for each, letting the attacker download and view the opening seconds of victims' session recordings - potentially exposing PII, form input, or in-app screens - with no user interaction and no elevated privileges required. |
| Remediation | Vendor-released patch: upgrade to OpenReplay 1.27.0, which corrects the authorization check so that session ownership is validated against the project (and thus tenant) before a presigned S3 URL is issued; the fix is in PR https://github.com/openreplay/openreplay/pull/4692 and commit ddd09117f644a309c7b040cda0a11ff9433e9e49, with details in advisory https://github.com/openreplay/openreplay/security/advisories/GHSA-w2x5-m7w5-479h. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all deployed OpenReplay instances and confirm versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openreplay
View allSQL injection in OpenReplay session replay before 1.20.0.
Stored cross-site scripting in OpenReplay 1.24.0 through versions before 1.25.0 allows an unauthenticated attacker holdi
OpenReplay is a self-hosted session replay suite. Rated low severity (CVSS 3.5), this vulnerability is remotely exploita
Broken object-level authorization (IDOR) in OpenReplay 1.27.0 and earlier lets any authenticated project member tamper w
SQL injection in OpenReplay's enterprise session search and analytics API allows an authenticated member to exfiltrate a
Cross-tenant Insecure Direct Object Reference (IDOR) in OpenReplay Enterprise Edition allows any authenticated user from
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43033