Session Replay Suite Vulnerability in OpenReplay by OpenReplay
CVE-2026-57230

5.4MEDIUM

Key Information:

Vendor

Openreplay

Vendor
CVE Published:
10 July 2026

What is CVE-2026-57230?

OpenReplay, a self-hosted session replay suite, contains a vulnerability in its session search and analytics API. Prior to version 1.27.0, the API allowed the insertion of unescaped user input into ClickHouse queries, posing serious data security risks. This flaw enables an authenticated user to execute blind boolean and time-based exfiltration attacks on any ClickHouse table. Consequently, it disrupts session search functionality across the platform until a stored key is properly removed. This vulnerability has been addressed in version 1.27.0.

Affected Version(s)

openreplay < 1.27.0

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.