CVE-2026-55880 PUBLISHED

OpenReplay: Cross-user IDOR in notes and dashboard widgets

Assigner: GitHub_M
Reserved: 17.06.2026 Published: 10.07.2026 Updated: 10.07.2026

OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on note id and project id, while dashboards.update_widget and dashboards.remove_widget filtered only on dashboard id and widget id, allowing any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
CVSS Score: 7.1

Product Status

Vendor openreplay
Product openreplay
Versions
  • Version <= 1.27.0 is affected

References

Problem Types

  • CWE-639: Authorization Bypass Through User-Controlled Key CWE