CVE-2026-45296
Deferred Deferred - Pending Action
Cross-Tenant Data Exposure in OpenReplay Python API

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify that the authenticated API key and the requested project belong to the same tenant. Because the public tracker design exposes projectKey to browser-side code, an attacker who owns any valid API key for their own tenant can target another tenant's project by reusing that public projectKey. The vulnerable routes allow the attacker to enumerate victim user sessions and then retrieve sensitive session event data across the tenant boundary. This vulnerability is fixed in 1.26.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-45296
EUVD
EUVD-2026-32971
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openreplay openreplay to 1.26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in OpenReplay's Python API (CVE-2026-45296) allows an attacker who has a valid API key for their own tenant to access sensitive session data belonging to another tenant. The issue arises because the API routes validate the API key and the existence of a projectKey but do not verify that the API key and the projectKey belong to the same tenant. Since projectKey values are exposed in browser-side code, an attacker can use their own API key combined with another tenant's projectKey to enumerate user sessions and retrieve confidential session event data across tenant boundaries.

This flaw is due to improper access control where authorization is split between API key authentication and project resolution without enforcing tenant isolation. The vulnerability affects OpenReplay versions prior to 1.26.0 and has been fixed in version 1.26.0.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive session data from other tenants. An attacker with low privileges and a valid API key for their own tenant can remotely enumerate victim user sessions and retrieve confidential session event information from other tenants without user interaction.

The impact includes a breach of confidentiality, potentially exposing sensitive user details and session events, which can compromise user privacy and trust.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenReplay to version 1.26.0 or later, where the issue has been fixed.

This update enforces proper tenant isolation by verifying that the authenticated API key and the requested project belong to the same tenant, preventing unauthorized cross-tenant data access.

Compliance Impact

The vulnerability in OpenReplay's Python API allows unauthorized cross-tenant access to sensitive session event data, which can lead to exposure of confidential user information.

Such unauthorized disclosure of sensitive data can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive information to protect user privacy and ensure data confidentiality.

Because the vulnerability enables attackers to enumerate and retrieve sensitive session data across tenant boundaries without proper authorization, it represents a failure in enforcing data isolation and access control, which are critical requirements under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45296. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart