CVE-2026-55880
Received Received - Intake

SQL Injection in OpenReplay Dashboard and Notes

Vulnerability report for CVE-2026-55880, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on note id and project id, while dashboards.update_widget and dashboards.remove_widget filtered only on dashboard id and widget id, allowing any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openreplay openreplay to 1.27.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows any authenticated member to delete another user's private session notes and modify widgets on another user's private dashboards without proper ownership checks.

Such unauthorized access and modification of private user data can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Therefore, the vulnerability could negatively impact compliance with these standards by enabling unauthorized data manipulation and potential data integrity issues.

Executive Summary

This vulnerability exists in OpenReplay versions 1.27.0 and earlier. It involves three dashboard and note mutation functions that execute SQL queries without properly verifying ownership. Specifically, the functions notes.delete, dashboards.update_widget, and dashboards.remove_widget do not include ownership predicates in their SQL filters, unlike their corresponding read and edit functions.

As a result, any authenticated member can delete another user's private session notes or remove or modify widgets on another user's private dashboards, bypassing intended access controls.

Impact Analysis

This vulnerability can lead to unauthorized modification or deletion of private data within OpenReplay. Specifically, an attacker with authenticated access could delete private session notes belonging to other users or alter widgets on their private dashboards.

Such unauthorized actions could disrupt user workflows, cause data loss, and compromise the integrity of user dashboards, potentially impacting business operations and user trust.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55880. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart