Session Replay Suite Vulnerability in OpenReplay Affects User Dashboard Security
CVE-2026-55879
9.3CRITICAL
What is CVE-2026-55879?
The OpenReplay session replay suite has a vulnerability where the tracking SDK allows unauthenticated visitors to submit custom event names and page URLs using a public project key. This data is stored in ClickHouse without proper output encoding, enabling an attacker to inject malicious scripts that execute within the authenticated user's dashboard. This issue can lead to session hijacking and unauthorized account access. The vulnerability has been addressed in version 1.25.0.
Affected Version(s)
openreplay >= 1.24.0, < 1.25.0
