CVE-2026-45296
Description
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify that the authenticated API key and the requested project belong to the same tenant. Because the public tracker design exposes projectKey to browser-side code, an attacker who owns any valid API key for their own tenant can target another tenant's project by reusing that public projectKey. The vulnerable routes allow the attacker to enumerate victim user sessions and then retrieve sensitive session event data across the tenant boundary. This vulnerability is fixed in 1.26.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenReplay's API fails to bind tenant identity to projectKey lookups, letting an attacker with any valid key access another tenant's session data.
Vulnerability
OpenReplay prior to version 1.26.0 contains a missing tenant-binding check in its Python API. Several app_apikey routes trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify that the authenticated API key and the requested project belong to the same tenant. The vulnerable code is in api/auth/auth_project.py where ProjectAuthorizer uses projects.get_by_project_key(project_key=value) globally instead of scoping the lookup by the API key owner's tenant ID [1]. Versions prior to 1.26.0 are affected.
Exploitation
An attacker must have a valid API key for their own tenant. Because the public tracker design exposes projectKey to browser-side code, the attacker can obtain the target tenant's projectKey (e.g., from a victim's client-side code). The attacker then submits that projectKey to a vulnerable app_apikey route along with their own valid API key. The API key authenticates the attacker, but the projectKey lookup is not scoped to the attacker's tenant, so the server returns data from the victim's project [1]. No special network position is required beyond normal API access.
Impact
A successful exploit allows the attacker to enumerate victim user sessions and retrieve sensitive session event data across the tenant boundary. This constitutes unauthorized information disclosure of private session replay data belonging to another tenant's users [1]. The compromise is limited to read access via the vulnerable routes; the attacker does not gain administrative privileges or ability to modify data.
Mitigation
OpenReplay fixed the vulnerability in version 1.26.0 by ensuring that projectKey lookups are scoped to the authenticated API key's tenant [1]. Users should upgrade to 1.26.0 or later. There are no publicly known workarounds for unpatched versions. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication date.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.26.0+ 1 more
- (no CPE)range: <1.26.0
- (no CPE)range: <1.26.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing tenant-binding check between API key authentication and projectKey resolution allows cross-tenant project access."
Attack vector
An attacker who possesses any valid API key for their own tenant can target another tenant's project by supplying that victim's public `projectKey` in the URL path. The `projectKey` is exposed to browser-side code by the public tracker design, making it trivially discoverable [ref_id=1]. The vulnerable routes (e.g., `/v1/{projectKey}/users/{userId}/sessions` and `/v1/{projectKey}/sessions/{sessionId}/events`) then resolve the victim's project and return session data belonging to that other tenant, because the authorization flow never checks that the authenticated API key's tenant matches the resolved project's tenant [ref_id=1].
Affected code
The vulnerability spans three files. In `api/auth/auth_apikey.py`, the `APIKeyAuth` class validates the API key and stores only the key owner's `tenantId` in the request context. In `api/auth/auth_project.py`, the `ProjectAuthorizer` resolves a `projectKey` globally via `projects.get_by_project_key(project_key=value)` without filtering by tenant. In `api/chalicelib/core/projects.py`, the `get_by_project_key` function queries `public.projects` only by `project_key` and `deleted_at ISNULL`, with no tenant scoping [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in OpenReplay 1.26.0 but does not include a patch diff [ref_id=1]. The remediation would require adding a tenant-binding check in the `projectKey` resolution path so that `get_by_project_key` also verifies the resolved project belongs to the same tenant as the authenticated API key, or by adding an explicit authorization gate after project resolution that compares `context.project.tenant_id` against `current_user.tenant_id` [ref_id=1].
Preconditions
- authAttacker must have a valid API key for any tenant in the OpenReplay deployment
- inputAttacker must know the victim tenant's public projectKey (exposed to browser-side code by the tracker)
- inputThe target projectKey must correspond to an existing, non-deleted project in the victim tenant
- networkNetwork access to the OpenReplay Python API endpoints
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.