Cross-Tenant IDOR Vulnerability in OpenReplay Session Replay Suite
CVE-2026-45297

5.3MEDIUM

Key Information:

Vendor

Openreplay

Vendor
CVE Published:
28 May 2026

What is CVE-2026-45297?

OpenReplay, a self-hosted session replay suite, exhibits a cross-tenant Insecure Direct Object Reference (IDOR) vulnerability prior to version 1.26.0. This flaw arises in the feature-flag and assist-stats routes due to a case mismatch in {project_id}, allowing any authenticated user from one tenant (tenant A) to read, update, or delete feature-flag data belonging to another tenant (tenant B). This occurs because the authorization checks operate solely on project_id without verifying tenant_id for multi-tenant setups, specifically when the project_identifier is set to 'projectId' (camelCase). Importantly, this issue does not affect OpenReplay's single-tenant design, which prevents cross-tenant exploitation. Version 1.26.0 includes a fix for this vulnerability.

Affected Version(s)

openreplay < 1.26.0

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.