OpenReplay is a self-hosted session replay suite. Prior to version 1.26.0, the Enterprise Edition (EE) contains an insecure direct object reference (IDOR) vulnerability on feature-flag and assist-stats routes. The ProjectAuthorizer authorization check in ee/api/auth/auth_project.py only validates tenant-project-user relationships when the project identifier uses camelCase (projectId). For routes using oth [truncated]
OpenReplay is a self-hosted session replay suite. Prior to version 1.26.0, the Python API contains several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify that the authenticated API key and the requested project belong to the same tenant. Because the public tracker [truncated]
