CVE-2026-45297
Cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch. ProjectAuthorizer.__call__ (OSS api/auth/auth_project.py:14-38 and EE ee/api/auth/auth_project.py:14-46) only runs projects.is_authorized(project_id, tenant_id, user_id) + projects.get_project(tenant_id, project_id) when self.project_identifier == "projectId" (camelCase). For EE multi-tenant, feature-flag queries only filter on project_id, never tenant_id. Any authenticated user in tenant A can read/update/delete feature-flag rows belonging to tenant B by iterating the sequential integer project_id + feature_flag_id. OSS is single-tenant by design ({"errors":["tenants already registered"]} on second signup) so there's no cross-tenant impact This vulnerability is fixed in 1.26.0.
| CWE | CWE-285 CWE-639 CWE-863 |
| Vendor | openreplay |
| Product | openreplay |
| Published | May 28, 2026 |
| Last Updated | May 29, 2026 |
Get instant alerts for openreplay openreplay
Be the first to know when new unknown vulnerabilities affecting openreplay openreplay are published โ delivered to Slack, Telegram or Discord.