Session Replay Vulnerability in OpenReplay Affects Multiple Versions
CVE-2026-55881

7.1HIGH

Key Information:

Vendor

Openreplay

Vendor
CVE Published:
10 July 2026

What is CVE-2026-55881?

OpenReplay is a self-hosted session replay suite that had a flaw in versions 1.22.0 through 1.26.0, where the getFirstMob function erroneously generated presigned S3 download URLs for the first 15 seconds of session replay recordings based solely on the session path parameter. The validateProjectAccess method did not sufficiently verify that the session corresponded with the project to which it belonged. This allowed authenticated users with low privileges to access session replay recordings from other tenants, exposing sensitive data.

Affected Version(s)

openreplay >= 1.22.0, < 1.27.0

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.