Cross-Tenant IDOR Vulnerability in OpenReplay Session Replay Suite
CVE-2026-45297
What is CVE-2026-45297?
OpenReplay, a self-hosted session replay suite, exhibits a cross-tenant Insecure Direct Object Reference (IDOR) vulnerability prior to version 1.26.0. This flaw arises in the feature-flag and assist-stats routes due to a case mismatch in {project_id}, allowing any authenticated user from one tenant (tenant A) to read, update, or delete feature-flag data belonging to another tenant (tenant B). This occurs because the authorization checks operate solely on project_id without verifying tenant_id for multi-tenant setups, specifically when the project_identifier is set to 'projectId' (camelCase). Importantly, this issue does not affect OpenReplay's single-tenant design, which prevents cross-tenant exploitation. Version 1.26.0 includes a fix for this vulnerability.
Affected Version(s)
openreplay < 1.26.0
