CVE-2026-55880

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
10/07/2026
Last modified:
10/07/2026

Description

OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on note id and project id, while dashboards.update_widget and dashboards.remove_widget filtered only on dashboard id and widget id, allowing any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards.