OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via {projectid} case mismatch. ProjectAuthorizer.call (OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46) only runs projects.isauthorized(projectid, tenantid, userid) + projects.getproject(tenantid, projectid) when self.projectidentifier == "projectId" (camelCase). For EE multi-tenant, feature-flag queries only filter on projectid, never tenantid. Any authenticated user in tenant A can read/update/delete feature-flag rows belonging to tenant B by iterating the sequential integer projectid + featureflagid. OSS is single-tenant by design ({"errors":["tenants already registered"]} on second signup) so there's no cross-tenant impact This vulnerability is fixed in 1.26.0.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45297.json",
"cwe_ids": [
"CWE-285",
"CWE-639",
"CWE-863"
],
"cna_assigner": "GitHub_M"
}