CVE-2026-55879 in OpenReplayinfo

Summary

by MITRE • 07/10/2026

OpenReplay is a self-hosted session replay suite. From 1.24.0 before 1.25.0, the OpenReplay tracking SDK accepts custom event names and captured page URLs from any visitor using a public project key, stores them in ClickHouse without output encoding, and later renders them in the authenticated dashboard through TextEllipsis and the event-details modal, allowing an unauthenticated attacker to store script that executes in the dashboard origin, reads the session JWT from localStorage, and takes over a dashboard account. This issue is fixed in version 1.25.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in OpenReplay tracking SDK versions 1.24.0 through 1.25.0 represents a critical server-side request forgery and cross-site scripting vulnerability that enables unauthorized account takeovers. This flaw stems from insufficient input validation and sanitization mechanisms within the session replay suite's data processing pipeline, where custom event names and page URLs are accepted directly from visitors without proper encoding or filtering before storage in ClickHouse database. The security issue manifests through a combination of insecure data handling practices that create multiple attack vectors for malicious actors to exploit.

The technical implementation of this vulnerability involves the SDK accepting untrusted input through a public project key mechanism, which serves as an entry point for attackers to inject malicious payloads into the system. When these inputs are stored in ClickHouse without proper output encoding, they become persistent elements within the application's data store. The authenticated dashboard component later renders these stored values through TextEllipsis and event-details modal interfaces, creating a direct path for script execution within the context of the victim's browser session. This scenario constitutes a classic cross-site scripting attack vector where the attacker's malicious code executes in the dashboard origin with the privileges of the logged-in user.

The operational impact of this vulnerability extends beyond simple data corruption or display issues, as it enables full account takeover capabilities for authenticated users. Attackers can leverage this vulnerability to execute arbitrary JavaScript code within the dashboard environment, potentially accessing session tokens stored in localStorage and hijacking active user sessions. This allows unauthorized individuals to perform actions as legitimate users, including accessing sensitive session data, modifying configurations, or conducting further attacks through compromised accounts. The vulnerability affects all versions prior to 1.25.0, making it a widespread concern for organizations using affected OpenReplay implementations.

The mitigation strategy requires implementing proper input validation and output encoding mechanisms throughout the data processing pipeline, specifically addressing the CWE-79 (Cross-site Scripting) and CWE-89 (SQL Injection) vulnerability categories that this issue encompasses. Organizations should ensure that all user-provided inputs are properly sanitized before storage and encoded appropriately when rendered in web interfaces. The fix implemented in version 1.25.0 likely includes input validation for event names and URL parameters, along with proper HTML encoding of stored data before rendering in dashboard components. This aligns with ATT&CK technique T1059.007 (Command and Scripting Interpreter: JavaScript) and T1566.002 (Phishing: Spearphishing Attachment) as attackers could potentially use this vulnerability to establish persistent access through compromised dashboard sessions.

Security practitioners should implement comprehensive monitoring for unusual data patterns in ClickHouse databases, particularly around event name and URL fields that might indicate injection attempts. The vulnerability demonstrates the importance of defense-in-depth strategies where input validation occurs at multiple layers of the application architecture, preventing malicious data from reaching critical rendering components. Regular security assessments and code reviews focusing on data flow between untrusted inputs and output rendering contexts should be conducted to prevent similar vulnerabilities in other applications. Organizations using OpenReplay or similar session replay solutions must prioritize upgrading to version 1.25.0 or later to eliminate this account takeover risk while implementing additional security controls such as content security policies and regular input validation testing.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!