CVE-2026-45296
Cross-Tenant Data Exposure in OpenReplay Python API
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openreplay | openreplay | to 1.26.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OpenReplay's Python API (CVE-2026-45296) allows an attacker who has a valid API key for their own tenant to access sensitive session data belonging to another tenant. The issue arises because the API routes validate the API key and the existence of a projectKey but do not verify that the API key and the projectKey belong to the same tenant. Since projectKey values are exposed in browser-side code, an attacker can use their own API key combined with another tenant's projectKey to enumerate user sessions and retrieve confidential session event data across tenant boundaries.
This flaw is due to improper access control where authorization is split between API key authentication and project resolution without enforcing tenant isolation. The vulnerability affects OpenReplay versions prior to 1.26.0 and has been fixed in version 1.26.0.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive session data from other tenants. An attacker with low privileges and a valid API key for their own tenant can remotely enumerate victim user sessions and retrieve confidential session event information from other tenants without user interaction.
The impact includes a breach of confidentiality, potentially exposing sensitive user details and session events, which can compromise user privacy and trust.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenReplay to version 1.26.0 or later, where the issue has been fixed.
This update enforces proper tenant isolation by verifying that the authenticated API key and the requested project belong to the same tenant, preventing unauthorized cross-tenant data access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenReplay's Python API allows unauthorized cross-tenant access to sensitive session event data, which can lead to exposure of confidential user information.
Such unauthorized disclosure of sensitive data can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive information to protect user privacy and ensure data confidentiality.
Because the vulnerability enables attackers to enumerate and retrieve sensitive session data across tenant boundaries without proper authorization, it represents a failure in enforcing data isolation and access control, which are critical requirements under these regulations.