Skip to main content

Openreplay

7 CVEs product

Monthly

CVE-2026-57230 MEDIUM PATCH This Month

SQL injection in OpenReplay's enterprise session search and analytics API allows an authenticated member to exfiltrate arbitrary ClickHouse table data and disrupt session search for all project viewers. Affected are enterprise editions with multi-tenancy enabled, running versions prior to 1.27.0, where user-controlled input is inserted unsanitized into ClickHouse query strings at two positions. No public exploit has been identified at time of analysis, and the fix was released in version 1.27.0.

SQLi Openreplay
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-55881 HIGH PATCH This Week

Cross-tenant information disclosure in OpenReplay's self-hosted session-replay backend (versions 1.22.0 through 1.26.x) lets any authenticated low-privilege user retrieve the first 15 seconds of another tenant's DOM session-replay recording. The getFirstMob endpoint issued a 15-second presigned S3 URL keyed only on a user-supplied session path, while validateProjectAccess confirmed project-to-tenant ownership but never confirmed that the requested session actually belonged to that project, breaking multi-tenant isolation. No public exploit identified at time of analysis, but the flaw is trivially triggerable by any valid account and is fixed in 1.27.0.

Authentication Bypass Openreplay
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-55880 HIGH This Week

Broken object-level authorization (IDOR) in OpenReplay 1.27.0 and earlier lets any authenticated project member tamper with other users' private data: the notes.delete, dashboards.update_widget, and dashboards.remove_widget backend functions omit the ownership predicate their sibling read/edit functions enforce, so they act on any note or widget matching only an id and project/dashboard id. An authenticated low-privilege member can delete another user's private session notes and remove or rewrite widgets on another user's private dashboards. There is no public exploit identified and no CISA KEV listing; impact is integrity/availability of other tenants' data, not disclosure (CVSS 7.1, C:N/I:H/A:L).

Authentication Bypass Openreplay
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-55879 CRITICAL PATCH Act Now

Stored cross-site scripting in OpenReplay 1.24.0 through versions before 1.25.0 allows an unauthenticated attacker holding only a public project key to inject script via custom event names and captured page URLs, which the tracking SDK stores in ClickHouse without output encoding and the authenticated dashboard later renders through TextEllipsis and the event-details modal. When a logged-in operator views the poisoned session, the payload executes in the dashboard origin, reads the session JWT from localStorage, and enables full dashboard account takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS base score is 9.3 and a vendor fix exists in 1.25.0.

XSS Openreplay
NVD GitHub
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-45297 MEDIUM PATCH This Month

Cross-tenant Insecure Direct Object Reference (IDOR) in OpenReplay Enterprise Edition allows any authenticated user from one tenant to read, update, or delete feature-flag and assist-stats data belonging to another tenant. The vulnerability exists because ProjectAuthorizer skips its tenant-scoped authorization check when the route parameter does not exactly match the camelCase string 'projectId', and EE feature-flag queries filter only on project_id without enforcing tenant_id isolation. Affecting all EE multi-tenant deployments prior to 1.26.0, no public exploit code has been identified at time of analysis, though the sequential integer ID scheme makes enumeration trivially feasible for any authenticated attacker.

Authentication Bypass Openreplay
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-28443 CRITICAL Act Now

SQL injection in OpenReplay session replay before 1.20.0.

SQLi Openreplay
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2023-48226 LOW POC Monitor

OpenReplay is a self-hosted session replay suite. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Openreplay
NVD GitHub
CVSS 3.1
3.5
EPSS
0.8%
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

SQL injection in OpenReplay's enterprise session search and analytics API allows an authenticated member to exfiltrate arbitrary ClickHouse table data and disrupt session search for all project viewers. Affected are enterprise editions with multi-tenancy enabled, running versions prior to 1.27.0, where user-controlled input is inserted unsanitized into ClickHouse query strings at two positions. No public exploit has been identified at time of analysis, and the fix was released in version 1.27.0.

SQLi Openreplay
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-tenant information disclosure in OpenReplay's self-hosted session-replay backend (versions 1.22.0 through 1.26.x) lets any authenticated low-privilege user retrieve the first 15 seconds of another tenant's DOM session-replay recording. The getFirstMob endpoint issued a 15-second presigned S3 URL keyed only on a user-supplied session path, while validateProjectAccess confirmed project-to-tenant ownership but never confirmed that the requested session actually belonged to that project, breaking multi-tenant isolation. No public exploit identified at time of analysis, but the flaw is trivially triggerable by any valid account and is fixed in 1.27.0.

Authentication Bypass Openreplay
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Broken object-level authorization (IDOR) in OpenReplay 1.27.0 and earlier lets any authenticated project member tamper with other users' private data: the notes.delete, dashboards.update_widget, and dashboards.remove_widget backend functions omit the ownership predicate their sibling read/edit functions enforce, so they act on any note or widget matching only an id and project/dashboard id. An authenticated low-privilege member can delete another user's private session notes and remove or rewrite widgets on another user's private dashboards. There is no public exploit identified and no CISA KEV listing; impact is integrity/availability of other tenants' data, not disclosure (CVSS 7.1, C:N/I:H/A:L).

Authentication Bypass Openreplay
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Stored cross-site scripting in OpenReplay 1.24.0 through versions before 1.25.0 allows an unauthenticated attacker holding only a public project key to inject script via custom event names and captured page URLs, which the tracking SDK stores in ClickHouse without output encoding and the authenticated dashboard later renders through TextEllipsis and the event-details modal. When a logged-in operator views the poisoned session, the payload executes in the dashboard origin, reads the session JWT from localStorage, and enables full dashboard account takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS base score is 9.3 and a vendor fix exists in 1.25.0.

XSS Openreplay
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-tenant Insecure Direct Object Reference (IDOR) in OpenReplay Enterprise Edition allows any authenticated user from one tenant to read, update, or delete feature-flag and assist-stats data belonging to another tenant. The vulnerability exists because ProjectAuthorizer skips its tenant-scoped authorization check when the route parameter does not exactly match the camelCase string 'projectId', and EE feature-flag queries filter only on project_id without enforcing tenant_id isolation. Affecting all EE multi-tenant deployments prior to 1.26.0, no public exploit code has been identified at time of analysis, though the sequential integer ID scheme makes enumeration trivially feasible for any authenticated attacker.

Authentication Bypass Openreplay
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

SQL injection in OpenReplay session replay before 1.20.0.

SQLi Openreplay
NVD GitHub VulDB
EPSS 1% CVSS 3.5
LOW POC Monitor

OpenReplay is a self-hosted session replay suite. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Openreplay
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy