SQL Injection Vulnerability in OpenReplay Self-hosted Session Replay Suite
CVE-2026-55880
7.1HIGH
What is CVE-2026-55880?
The OpenReplay self-hosted session replay suite has a security vulnerability in versions up to and including 1.27.0. This vulnerability arises due to improper handling of SQL queries in specific dashboard and note mutation functions. In this case, the deletion of private session notes and the alteration of dashboard widgets can be performed by any authenticated user, circumventing intended access controls. The affected functions lack the necessary ownership predicates, exposing users to the risk of unauthorized manipulation of their data by others within the application.
Affected Version(s)
openreplay <= 1.27.0
