CVE-2026-55881 in OpenReplayinfo

Summary

by MITRE • 07/11/2026

OpenReplay is a self-hosted session replay suite. From 1.22.0 before 1.27.0, getFirstMob returned 15-second presigned S3 download URLs for a session's DOM-replay recording based solely on the session path parameter, while validateProjectAccess checked only that the project belonged to the requester's tenant and did not verify that the session belonged to that project, allowing any authenticated low-privilege user to read another tenant's first 15 seconds of session-replay recording data. This issue is fixed in version 1.27.0.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The vulnerability identified in OpenReplay versions 1.22.0 through 1.26.9 represents a critical access control flaw that undermines the security boundaries between tenant environments. This issue manifests in the improper validation of session ownership during the retrieval of session replay data, specifically affecting the getFirstMob function which generates presigned S3 download URLs. The flaw occurs because the system relies solely on the session path parameter to determine access permissions, without proper verification that the session actually belongs to the project being accessed.

The technical implementation of this vulnerability stems from a broken access control mechanism where the validateProjectAccess function performs insufficient validation checks. While this function correctly verifies that the project belongs to the requesting user's tenant, it fails to confirm that the specific session being requested is associated with that project. This creates an authorization bypass scenario where any authenticated user within a tenant can potentially access session data from other projects within the same tenant, or worse, from different tenants if proper isolation is not maintained.

The operational impact of this vulnerability extends beyond simple data exposure, as it allows unauthorized users to access sensitive session replay information including user interactions, page content, and potentially personal identifiable information. The scope of exposure covers the first 15 seconds of DOM-replay recordings, which typically contain enough contextual information to reconstruct user behavior patterns and potentially identify sensitive actions performed on web applications. This represents a significant breach of data confidentiality and could lead to privacy violations, especially in environments handling regulated data or user privacy-sensitive applications.

This vulnerability aligns with CWE-285: "Improper Authorization" and maps to ATT&CK technique T1078: "Valid Accounts" as it exploits legitimate authentication mechanisms to gain unauthorized access. The flaw demonstrates poor least privilege enforcement where session-level access controls are not properly enforced, allowing lateral movement within the tenant environment. Organizations using OpenReplay in multi-tenant deployments face increased risk of data leakage and potential compliance violations under regulations such as gdpr, hipaa, or pci dss that mandate strict data isolation between different entities.

The mitigation strategy requires implementing proper session ownership validation that ensures any request for session replay data must verify both project ownership and direct session association. This includes strengthening the validateProjectAccess function to include session-level validation checks before generating presigned URLs. Organizations should also consider implementing additional logging and monitoring around access patterns to detect unauthorized attempts to access session data from unrelated projects, as well as ensuring that all users have appropriate role-based access controls to prevent privilege escalation scenarios.

The fix implemented in version 1.27.0 addresses the core authorization issue by enforcing proper session-to-project validation during URL generation for first mob recordings. This update ensures that presigned S3 URLs can only be generated for sessions that are actually associated with the project being accessed, thereby restoring proper access control boundaries between different tenant environments. The remediation approach follows security best practices of implementing defense in depth controls where multiple validation layers prevent unauthorized access attempts and maintain data integrity across multi-tenant deployments.

This vulnerability serves as a reminder of the critical importance of proper access control implementation in web applications, particularly those handling user session data. The flaw demonstrates how seemingly simple parameter validation can create significant security gaps when combined with inadequate ownership verification mechanisms. Organizations should conduct regular security assessments of their session management systems and ensure that all data access controls include appropriate validation checks to prevent similar authorization bypass scenarios from occurring in other components of their applications.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!