Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L
Network API injection requiring only authenticated member access; AC:L because injection conditions are straightforward; UI:N because no victim interaction is needed; C:H for arbitrary table read; A:L for persistent search disruption.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
OpenReplay is a self-hosted session replay suite. Prior to 1.27.0, the session search and analytics API in enterprise editions with multi-tenancy enabled built ClickHouse queries by inserting user input into the query string, including two positions that took input without escaping, allowing an authenticated member to read any ClickHouse table through blind boolean and time-based exfiltration and to break the project's session search for all viewers until the stored key is removed. This issue is fixed in version 1.27.0.
AnalysisAI
SQL injection in OpenReplay's enterprise session search and analytics API allows an authenticated member to exfiltrate arbitrary ClickHouse table data and disrupt session search for all project viewers. Affected are enterprise editions with multi-tenancy enabled, running versions prior to 1.27.0, where user-controlled input is inserted unsanitized into ClickHouse query strings at two positions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) a valid authenticated account at member privilege level on the target OpenReplay instance (CVSS PR:L confirmed), (2) the target must be running the enterprise edition - the community edition is not described as affected, (3) multi-tenancy must be explicitly enabled in the enterprise configuration - this is not a default in all deployments and must be operator-configured. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS score of 5.4 (Medium) reflects the combination of meaningful confidentiality impact (C:H - arbitrary ClickHouse table reads) tempered by requiring low privileges (PR:L), high attack complexity (AC:H), and user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid low-privilege member account on an OpenReplay enterprise instance with multi-tenancy enabled submits crafted payloads to the session search API endpoint, injecting ClickHouse SQL into one of the two unescaped parameters. Using blind time-based or boolean inference techniques - sending sequences of conditional queries and observing response timing or result changes - the attacker systematically extracts data character-by-character from sensitive ClickHouse tables such as user session records or cross-tenant analytics data. … |
| Remediation | Upgrade to OpenReplay version 1.27.0, which contains the fix per the official release at https://github.com/openreplay/openreplay/releases/tag/v1.27.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openreplay
View allSQL injection in OpenReplay session replay before 1.20.0.
Stored cross-site scripting in OpenReplay 1.24.0 through versions before 1.25.0 allows an unauthenticated attacker holdi
OpenReplay is a self-hosted session replay suite. Rated low severity (CVSS 3.5), this vulnerability is remotely exploita
Cross-tenant information disclosure in OpenReplay's self-hosted session-replay backend (versions 1.22.0 through 1.26.x)
Broken object-level authorization (IDOR) in OpenReplay 1.27.0 and earlier lets any authenticated project member tamper w
Cross-tenant Insecure Direct Object Reference (IDOR) in OpenReplay Enterprise Edition allows any authenticated user from
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43035