Session Replay Suite Vulnerability in OpenReplay Affects User Dashboard Security
CVE-2026-55879

9.3CRITICAL

Key Information:

Vendor

Openreplay

Vendor
CVE Published:
10 July 2026

What is CVE-2026-55879?

The OpenReplay session replay suite has a vulnerability where the tracking SDK allows unauthenticated visitors to submit custom event names and page URLs using a public project key. This data is stored in ClickHouse without proper output encoding, enabling an attacker to inject malicious scripts that execute within the authenticated user's dashboard. This issue can lead to session hijacking and unauthorized account access. The vulnerability has been addressed in version 1.25.0.

Affected Version(s)

openreplay >= 1.24.0, < 1.25.0

References

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.