A cross‑tenant IDOR allows an authenticated user to read, update, or delete feature‑flag and assist‑stats data belonging to other tenants. The flaw arises because the project_identifier authorization guard is only applied when the request uses the camelCase "projectId" form, while the system accepts case‑mismatched alternative forms. In Enterprise Edition multi‑tenant installations, feature‑flag queries filter only on project_id and ignore tenant_id, enabling enumeration of sequential project identifiers to access data from any tenant. The lack of a tenant constraint, combined with the IDOR, jeopardizes data confidentiality and integrity for partners sharing the same deployment.

The vulnerability exists in the OpenReplay session replay platform for all installations running a version older than 1.26.0. Both the OSS and EE deployments are affected, although the cross‑tenant impact is only present in EE multi‑tenant installations. The open‑source version is single‑tenant by design and does not suffer the cross‑tenant compromise, yet all installations should still upgrade because the fix also addresses the generic IDOR.

The CVSS base score of 5.3 indicates medium severity, reflecting limited impact if the attacker simply enumerates project IDs, but the inability to circumvent tenant boundaries is a serious concern in a shared environment. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting it may not yet have widespread active exploitation. Attackers would need only authenticated access and the ability to iterate numerical project identifiers, which is typically trivial in an environment where tenant IDs are sequential. Therefore, the risk is moderate but potentially high in large, multi‑tenant deployments.