๐Ÿ” CVE Alert

CVE-2026-55880

HIGH 7.1

OpenReplay: Cross-user IDOR in notes and dashboard widgets

CVSS Score
7.1
EPSS Score
0.2%
EPSS Percentile
9th

OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on note id and project id, while dashboards.update_widget and dashboards.remove_widget filtered only on dashboard id and widget id, allowing any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards.

CWE CWE-639
Vendor openreplay
Product openreplay
Published Jul 10, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for openreplay openreplay

Be the first to know when new high vulnerabilities affecting openreplay openreplay are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Affected Versions

openreplay / openreplay
<= 1.27.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/openreplay/openreplay/security/advisories/GHSA-9xfv-p2fx-vmx9