CVE-2026-45296

Name of the Vulnerable Software and Affected Versions OpenReplay versions prior to 1.26.0

Description OpenReplay is a self-hosted session replay suite. The Python API contains several 'app apikey' routes that trust a caller-provided projectKey after verifying only the validity of the API key and the existence of the target projectKey. The authorization flow fails to verify that the authenticated API key and the requested project belong to the same tenant. Since the public tracker design exposes the projectKey to browser-side code, an attacker with a valid API key for their own tenant can use another tenant's public projectKey to enumerate victim user sessions and retrieve sensitive session event data across tenant boundaries.

Recommendations Update to version 1.26.0.