PT-2026-44458 · Unknown · Openreplay
Sajdakabir
·
Published
2026-05-28
·
Updated
2026-05-28
·
CVE-2026-45297
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
OpenReplay versions prior to 1.26.0
Description
An Insecure Direct Object Reference (IDOR) exists in the self-hosted session replay suite due to a case mismatch in the
project id variable. In the Enterprise Edition (EE) multi-tenant environment, the ProjectAuthorizer. call function (located in api/auth/auth project.py and ee/api/auth/auth project.py) only performs authorization checks when the project identifier is in camelCase (projectId). Consequently, queries for the 'feature-flag' and 'assist-stats' routes filter only by project id and ignore the tenant id. This allows an authenticated user from one tenant to read, update, or delete feature-flag data belonging to another tenant by iterating through sequential integer values of project id and feature flag id.Recommendations
Update to version 1.26.0.
Fix
IDOR
Improper Authorization
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openreplay