PatchSiren cyber security CVE debrief
CVE-2026-55881 openreplay CVE debrief
CVE-2026-55881 is a high-severity vulnerability in OpenReplay, a self-hosted session replay suite. From version 1.22.0 to 1.27.0, an authenticated low-privilege user could exploit this issue to read the first 15 seconds of another tenant's session-replay recording data. The vulnerability arises from the getFirstMob function, which returned presigned S3 download URLs for session DOM-replay recordings based solely on the session path parameter. The validateProjectAccess function only verified that the project belonged to the requester's tenant, without confirming that the session belonged to that project. This issue was fixed in version 1.27.0.
- Vendor
- openreplay
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of OpenReplay, especially those with multi-tenant environments, should be aware of this vulnerability. If an attacker gains access to a low-privilege account, they could potentially read session-replay data from other tenants, leading to unauthorized data exposure.
Technical summary
The vulnerability exists in the getFirstMob function of OpenReplay, which generates 15-second presigned S3 download URLs for session DOM-replay recordings. These URLs are generated based solely on the session path parameter without proper validation. Specifically, the validateProjectAccess function checks if the project belongs to the requester's tenant but does not verify if the session itself belongs to that project. This oversight allows an authenticated low-privilege user to access session-replay data from another tenant. The issue was addressed in version 1.27.0 by implementing proper validation and access controls.
Defensive priority
High
Recommended defensive actions
- Upgrade OpenReplay to version 1.27.0 or later
- Review and restrict access to session-replay data
- Implement additional monitoring for unauthorized access attempts
- Conduct thorough inventory checks for OpenReplay installations
- Verify tenant isolation and access controls
Evidence notes
The CVE record was published on 2026-07-10T21:16:57.653Z and has not been modified since then. The NVD entry is currently 7.1 HIGH. Evidence is based on official CVE and NVD records, as well as references from GitHub related to the OpenReplay project.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:57.653Z and has not been modified since then. The NVD entry is currently 7.1 HIGH.