SQL Injection Vulnerability in OpenReplay Self-hosted Session Replay Suite
CVE-2026-55880

7.1HIGH

Key Information:

Vendor

Openreplay

Vendor
CVE Published:
10 July 2026

What is CVE-2026-55880?

The OpenReplay self-hosted session replay suite has a security vulnerability in versions up to and including 1.27.0. This vulnerability arises due to improper handling of SQL queries in specific dashboard and note mutation functions. In this case, the deletion of private session notes and the alteration of dashboard widgets can be performed by any authenticated user, circumventing intended access controls. The affected functions lack the necessary ownership predicates, exposing users to the risk of unauthorized manipulation of their data by others within the application.

Affected Version(s)

openreplay <= 1.27.0

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.