CVE-2026-45296 openreplay CVE debrief

Who should care

Organizations running self-hosted OpenReplay instances prior to version 1.26.0, particularly multi-tenant deployments where data isolation between tenants is critical. Security teams responsible for session replay infrastructure and API authorization controls should prioritize this fix.

Technical summary

The vulnerability stems from missing tenant validation in OpenReplay's Python API authorization flow. When processing requests to app_apikey routes, the system validates that the provided API key is valid and that the requested projectKey exists, but fails to verify that both belong to the same tenant. Since projectKey values are exposed in browser-side tracker code, any attacker with a valid API key for their own tenant can craft requests targeting other tenants' projects. This enables enumeration of user sessions and exfiltration of sensitive session replay data across tenant boundaries. The vulnerability is classified as CWE-284 (Improper Access Control) and carries a CVSS 3.1 score of 7.7 (HIGH severity).

Defensive priority

HIGH

Recommended defensive actions

• Upgrade OpenReplay to version 1.26.0 or later to remediate this vulnerability.
• Review API authorization logic to ensure tenant isolation is properly enforced for all app_apikey routes.
• Audit access logs for any suspicious cross-tenant session enumeration or data retrieval activity.
• Consider implementing additional authorization checks that verify API key and projectKey belong to the same tenant before processing requests.
• Review and rotate API keys if compromise is suspected.

Evidence notes

The CVE description and GitHub Security Advisory (GHSA-8wmc-vpmf-cjf5) confirm the vulnerability exists in OpenReplay versions prior to 1.26.0. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) scores 7.7 (HIGH severity). CWE-284 (Improper Access Control) is identified as the primary weakness. The fix is confirmed in version 1.26.0.

Official resources