PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55881 openreplay CVE debrief

CVE-2026-55881 is a high-severity vulnerability in OpenReplay, a self-hosted session replay suite. From version 1.22.0 to 1.27.0, an authenticated low-privilege user could exploit this issue to read the first 15 seconds of another tenant's session-replay recording data. The vulnerability arises from the getFirstMob function, which returned presigned S3 download URLs for session DOM-replay recordings based solely on the session path parameter. The validateProjectAccess function only verified that the project belonged to the requester's tenant, without confirming that the session belonged to that project. This issue was fixed in version 1.27.0.

Vendor
openreplay
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of OpenReplay, especially those with multi-tenant environments, should be aware of this vulnerability. If an attacker gains access to a low-privilege account, they could potentially read session-replay data from other tenants, leading to unauthorized data exposure.

Technical summary

The vulnerability exists in the getFirstMob function of OpenReplay, which generates 15-second presigned S3 download URLs for session DOM-replay recordings. These URLs are generated based solely on the session path parameter without proper validation. Specifically, the validateProjectAccess function checks if the project belongs to the requester's tenant but does not verify if the session itself belongs to that project. This oversight allows an authenticated low-privilege user to access session-replay data from another tenant. The issue was addressed in version 1.27.0 by implementing proper validation and access controls.

Defensive priority

High

Recommended defensive actions

  • Upgrade OpenReplay to version 1.27.0 or later
  • Review and restrict access to session-replay data
  • Implement additional monitoring for unauthorized access attempts
  • Conduct thorough inventory checks for OpenReplay installations
  • Verify tenant isolation and access controls

Evidence notes

The CVE record was published on 2026-07-10T21:16:57.653Z and has not been modified since then. The NVD entry is currently 7.1 HIGH. Evidence is based on official CVE and NVD records, as well as references from GitHub related to the OpenReplay project.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:57.653Z and has not been modified since then. The NVD entry is currently 7.1 HIGH.