Skip to main content

OpenReplay EUVDEUVD-2026-43033

| CVE-2026-55881 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-10 GitHub_M
7.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-reachable IDOR needing only a low-privilege account (PR:L, AC:L, UI:N); confidentiality set to Low because exposure is bounded to the first 15 seconds per session, with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 22:02 EUVD
Analysis Generated
Jul 10, 2026 - 21:38 vuln.today

DescriptionCVE.org

OpenReplay is a self-hosted session replay suite. From 1.22.0 before 1.27.0, getFirstMob returned 15-second presigned S3 download URLs for a session's DOM-replay recording based solely on the session path parameter, while validateProjectAccess checked only that the project belonged to the requester's tenant and did not verify that the session belonged to that project, allowing any authenticated low-privilege user to read another tenant's first 15 seconds of session-replay recording data. This issue is fixed in version 1.27.0.

AnalysisAI

Cross-tenant information disclosure in OpenReplay's self-hosted session-replay backend (versions 1.22.0 through 1.26.x) lets any authenticated low-privilege user retrieve the first 15 seconds of another tenant's DOM session-replay recording. The getFirstMob endpoint issued a 15-second presigned S3 URL keyed only on a user-supplied session path, while validateProjectAccess confirmed project-to-tenant ownership but never confirmed that the requested session actually belonged to that project, breaking multi-tenant isolation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege user
Delivery
Enumerate/guess other tenant session IDs
Exploit
Call getFirstMob with foreign session path
Execution
Receive 15-second presigned S3 URL
Impact
Download victim's session-replay recording

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated account on a shared, multi-tenant OpenReplay deployment (CVSS PR:L confirms low-privilege authentication is needed - this is not unauthenticated), plus knowledge or enumeration of another tenant's session identifiers passed as the session path parameter to getFirstMob. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H) describes a network-reachable, low-complexity, low-privilege bug requiring no user interaction - meaning any ordinary authenticated user can exploit it reliably, which raises practical concern despite the modest 7.1 base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already holds a low-privilege account on a shared multi-tenant OpenReplay instance, then calls the getFirstMob endpoint substituting session identifiers belonging to other tenants. The server returns a valid 15-second presigned S3 URL for each, letting the attacker download and view the opening seconds of victims' session recordings - potentially exposing PII, form input, or in-app screens - with no user interaction and no elevated privileges required.
Remediation Vendor-released patch: upgrade to OpenReplay 1.27.0, which corrects the authorization check so that session ownership is validated against the project (and thus tenant) before a presigned S3 URL is issued; the fix is in PR https://github.com/openreplay/openreplay/pull/4692 and commit ddd09117f644a309c7b040cda0a11ff9433e9e49, with details in advisory https://github.com/openreplay/openreplay/security/advisories/GHSA-w2x5-m7w5-479h. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all deployed OpenReplay instances and confirm versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43033 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy