CVE-2026-57230 is a vulnerability in the OpenReplay session replay suite that allows authenticated members to read any ClickHouse table and disrupt session search. The issue was fixed in version 1.27.0. This vulnerability has a CVSS score of 5.4 and is considered Medium severity. The vulnerability affects OpenReplay's session search and analytics API in enterprise editions with multi-tenancy enabled.
CVE-2026-55881 is a high-severity vulnerability in OpenReplay, a self-hosted session replay suite. From version 1.22.0 to 1.27.0, an authenticated low-privilege user could exploit this issue to read the first 15 seconds of another tenant's session-replay recording data. The vulnerability arises from the getFirstMob function, which returned presigned S3 download URLs for session DOM-replay recordings based [truncated]
CVE-2026-55880 is a vulnerability in OpenReplay's self-hosted session replay suite, affecting versions 1.27.0 and earlier. The issue involves three dashboard and note mutation functions that ran their SQL without the ownership predicate, allowing any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards. This vulnerability ha [truncated]
CVE-2026-55879 is a critical vulnerability in OpenReplay's self-hosted session replay suite. From version 1.24.0 to before 1.25.0, the OpenReplay tracking SDK accepts custom event names and captured page URLs from any visitor using a public project key. These are stored in ClickHouse without output encoding and later rendered in the authenticated dashboard. This allows an unauthenticated attacker to store [truncated]
OpenReplay is a self-hosted session replay suite. Prior to version 1.26.0, the Enterprise Edition (EE) contains an insecure direct object reference (IDOR) vulnerability on feature-flag and assist-stats routes. The ProjectAuthorizer authorization check in ee/api/auth/auth_project.py only validates tenant-project-user relationships when the project identifier uses camelCase (projectId). For routes using oth [truncated]
OpenReplay is a self-hosted session replay suite. Prior to version 1.26.0, the Python API contains several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify that the authenticated API key and the requested project belong to the same tenant. Because the public tracker [truncated]