CVE-2026-55880
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
10/07/2026
Last modified:
10/07/2026
Description
OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on note id and project id, while dashboards.update_widget and dashboards.remove_widget filtered only on dashboard id and widget id, allowing any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards.
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH



