Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28443 is a SQL injection vulnerability in the OpenReplay software, specifically affecting the POST /{projectId}/cards/search endpoint in versions prior to 1.20.0.'}, {'type': 'paragraph', 'content': "The issue arises because the sort.field parameter is used directly in an SQL query's ORDER BY clause without proper validation or sanitization. This parameter is interpolated into the SQL query using an f-string before the query is executed, allowing an attacker to inject malicious SQL code."}, {'type': 'paragraph', 'content': 'While other parameters are sanitized properly, the sort.field parameter lacks validation, making it possible for an attacker to manipulate the SQL query and potentially execute arbitrary SQL commands.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and was fixed in OpenReplay versions greater than 1.20.0.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can allow an attacker to execute arbitrary SQL commands on the database used by OpenReplay.'}, {'type': 'paragraph', 'content': 'Potential impacts include unauthorized data access, data modification, data deletion, or even complete compromise of the database.'}, {'type': 'paragraph', 'content': "Because the vulnerability is exploitable without authentication (no privileges required), it poses a significant risk to the confidentiality, integrity, and availability of the affected system's data."}, {'type': 'paragraph', 'content': 'Users of OpenReplay versions prior to 1.20.0 are advised to update to a patched version to mitigate this risk.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the POST /{projectId}/cards/search endpoint for SQL injection via the sort.field parameter.'}, {'type': 'paragraph', 'content': 'A possible detection method is to send crafted POST requests to this endpoint with malicious payloads in the sort.field parameter to observe if SQL injection occurs.'}, {'type': 'paragraph', 'content': 'For example, you can use curl to send a test request:'}, {'type': 'list_item', 'content': 'curl -X POST https://your-openreplay-instance/{projectId}/cards/search -H \'Content-Type: application/json\' -d \'{"sort": {"field": "id; DROP TABLE users; --", "order": "asc"}}\''}, {'type': 'paragraph', 'content': 'If the server executes the injected SQL or returns an error indicating SQL syntax issues, it suggests the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update OpenReplay to version 1.20.0 or later, where this vulnerability has been patched.

You can update by running the command: openreplay -u

Until the update is applied, consider restricting access to the vulnerable endpoint or implementing input validation and sanitization on the sort.field parameter to prevent SQL injection.

Useful 0 Not Useful 0