CVE-2026-45296
HighSummary
OpenReplay is a session replay suite that prior to version 1.26.0 had vulnerabilities in its Python API. There were app_apikey routes that trusted the caller-provided projectKey, allowing attackers to access projects of other tenants.
Risk Assessment
Attackers can exploit a valid API key to access user sessions and sensitive data across tenant boundaries, posing a serious threat to data security.
Recommendation
It is recommended to upgrade OpenReplay to version 1.26.0 or later to mitigate this vulnerability and implement additional tenant verification mechanisms.
Original NVD description (English source)
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify that the authenticated API key and the requested project belong to the same tenant. Because the public tracker design exposes projectKey to browser-side code, an attacker who owns any valid API key for their own tenant can target another tenant's project by reusing that public projectKey. The vulnerable routes allow the attacker to enumerate victim user sessions and then retrieve sensitive session event data across the tenant boundary. This vulnerability is fixed in 1.26.0.

