CVE-2026-28443
SQL Injection in OpenReplay Cards Search Endpoint Prior to
Publication date: 2026-03-05
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openreplay | openreplay | to 1.20.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28443 is a SQL injection vulnerability in the OpenReplay software, specifically affecting the POST /{projectId}/cards/search endpoint in versions prior to 1.20.0.'}, {'type': 'paragraph', 'content': "The issue arises because the sort.field parameter is used directly in an SQL query's ORDER BY clause without proper validation or sanitization. This parameter is interpolated into the SQL query using an f-string before the query is executed, allowing an attacker to inject malicious SQL code."}, {'type': 'paragraph', 'content': 'While other parameters are sanitized properly, the sort.field parameter lacks validation, making it possible for an attacker to manipulate the SQL query and potentially execute arbitrary SQL commands.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and was fixed in OpenReplay versions greater than 1.20.0.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can allow an attacker to execute arbitrary SQL commands on the database used by OpenReplay.'}, {'type': 'paragraph', 'content': 'Potential impacts include unauthorized data access, data modification, data deletion, or even complete compromise of the database.'}, {'type': 'paragraph', 'content': "Because the vulnerability is exploitable without authentication (no privileges required), it poses a significant risk to the confidentiality, integrity, and availability of the affected system's data."}, {'type': 'paragraph', 'content': 'Users of OpenReplay versions prior to 1.20.0 are advised to update to a patched version to mitigate this risk.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the POST /{projectId}/cards/search endpoint for SQL injection via the sort.field parameter.'}, {'type': 'paragraph', 'content': 'A possible detection method is to send crafted POST requests to this endpoint with malicious payloads in the sort.field parameter to observe if SQL injection occurs.'}, {'type': 'paragraph', 'content': 'For example, you can use curl to send a test request:'}, {'type': 'list_item', 'content': 'curl -X POST https://your-openreplay-instance/{projectId}/cards/search -H \'Content-Type: application/json\' -d \'{"sort": {"field": "id; DROP TABLE users; --", "order": "asc"}}\''}, {'type': 'paragraph', 'content': 'If the server executes the injected SQL or returns an error indicating SQL syntax issues, it suggests the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update OpenReplay to version 1.20.0 or later, where this vulnerability has been patched.
You can update by running the command: openreplay -u
Until the update is applied, consider restricting access to the vulnerable endpoint or implementing input validation and sanitization on the sort.field parameter to prevent SQL injection.