Description
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify that the authenticated API key and the requested project belong to the same tenant. Because the public tracker design exposes projectKey to browser-side code, an attacker who owns any valid API key for their own tenant can target another tenant's project by reusing that public projectKey. The vulnerable routes allow the attacker to enumerate victim user sessions and then retrieve sensitive session event data across the tenant boundary. This vulnerability is fixed in 1.26.0.
Published: 2026-05-28
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in OpenReplay’s Python API allows an authenticated attacker to exploit a missing tenant binding for projectKey parameters. When a requester supplies a valid API key, the API only verifies the key's validity and that the target projectKey exists, but it does not confirm that the projectKey belongs to the same tenant as the API key. This flaw permits an attacker who owns an API key for one tenant to reuse a public projectKey belonging to another tenant to enumerate that tenant’s user sessions and retrieve sensitive session event data, effectively leaking information across tenant boundaries. The weakness corresponds to configuration error (CWE‑284).

Affected Systems

All installations of OpenReplay using a Python API prior to version 1.26.0 are impacted, regardless of deployment environment or deployment scale. The affected component is the app_apikey module that processes projectKey requests.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.7, indicating a high severity risk. EPSS is not available, and the issue is not listed in CISA’s KEV catalog, but the exploitation likelihood remains significant because the attack requires only possession of a valid API key and knowledge of a public projectKey, both of which an attacker can acquire easily. Successful exploitation leads to cross‑tenant disclosure of user sessions and session events, compromising confidentiality for the affected tenant.

Generated by OpenCVE AI on May 28, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenReplay to version 1.26.0 or later to enforce tenant binding on projectKey requests
  • Eliminate or minimize the exposure of public projectKey values in client‑side code and limit API key use to the intended tenant
  • Monitor API usage for abnormal cross‑tenant activity patterns and block requests that violate tenant boundaries

Generated by OpenCVE AI on May 28, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Openreplay
Openreplay openreplay
Vendors & Products Openreplay
Openreplay openreplay

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify that the authenticated API key and the requested project belong to the same tenant. Because the public tracker design exposes projectKey to browser-side code, an attacker who owns any valid API key for their own tenant can target another tenant's project by reusing that public projectKey. The vulnerable routes allow the attacker to enumerate victim user sessions and then retrieve sensitive session event data across the tenant boundary. This vulnerability is fixed in 1.26.0.
Title OpenReplay: Cross-tenant information disclosure in app_apikey projectKey routes via missing tenant binding
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Openreplay Openreplay
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-30T02:00:43.461Z

Reserved: 2026-05-11T20:14:43.201Z

Link: CVE-2026-45296

cve-icon Vulnrichment

Updated: 2026-05-30T02:00:39.253Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T18:16:34.507

Modified: 2026-05-28T18:40:37.990

Link: CVE-2026-45296

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T20:30:25Z

Weaknesses