PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55880 openreplay CVE debrief

CVE-2026-55880 is a vulnerability in OpenReplay's self-hosted session replay suite, affecting versions 1.27.0 and earlier. The issue involves three dashboard and note mutation functions that ran their SQL without the ownership predicate, allowing any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards. This vulnerability has a high impact on the confidentiality and integrity of user data, and it is essential for users of OpenReplay's self-hosted session replay suite to take necessary actions to protect their systems.

Vendor
openreplay
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of OpenReplay's self-hosted session replay suite, particularly those using version 1.27.0 or earlier, should be aware of this vulnerability and take necessary actions to protect their systems. This includes patching or mitigating the vulnerability, reviewing and updating access controls, and monitoring for suspicious activity.

Technical summary

In OpenReplay's self-hosted session replay suite, versions 1.27.0 and earlier, three dashboard and note mutation functions (notes.delete, dashboards.update_widget, and dashboards.remove_widget) did not use the ownership predicate, unlike their sibling read and edit functions. This allowed any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards. The vulnerability has a CVSS score of 7.1 and a HIGH severity level.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, as it allows for unauthorized actions on private session notes and dashboards.

Recommended defensive actions

  • Patch OpenReplay to version 1.27.1 or later
  • Review and update access controls for dashboard and note mutation functions
  • Monitor for suspicious activity on private session notes and dashboards
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-10T21:16:57.493Z and has not been modified since then. The NVD entry is currently receiving updates. However, details about the vulnerability in OpenReplay's self-hosted session replay suite, affecting versions 1.27.0 and earlier, indicate that three dashboard and note mutation functions ran their SQL without the ownership predicate. This allows any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards. Evidence is limited to the CVE and NVD entries, and defenders should verify the affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:57.493Z and has not been modified since then.