Back to overview

CVE-2026-55880

HIGH
7.1
CVSS 3.1
Description
OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on note id and project id, while dashboards.update_widget and dashboards.remove_widget filtered only on dashboard id and widget id, allowing any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards.

Metadata

CVE ID
CVE-2026-55880
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-17 16:59 UTC
Published
2026-07-10 20:42 UTC
Last updated
2026-07-10 20:42 UTC
Primary CWE
CWE-639
CWE-639: Authorization Bypass Through User-Controlled Key
Vendor / Product
openreplay / openreplay
Sources
cve.org  ·  NVD

Severity & Metrics

7.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Affected products (1)
VendorProductPlatformVersions
openreplay openreplay <= 1.27.0
Weakness (CWE)
CWESourceDescription
CWE-639 cna CWE-639: Authorization Bypass Through User-Controlled Key
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.1 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
References (1)
Back to overview