CVE-2026-55880

Source
https://cve.org/CVERecord?id=CVE-2026-55880
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55880.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55880
Aliases
  • GHSA-9xfv-p2fx-vmx9
Published
2026-07-10T20:42:15.563Z
Modified
2026-07-16T03:31:01.368342633Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L CVSS Calculator
Summary
OpenReplay: Cross-user IDOR in notes and dashboard widgets
Details

OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on note id and project id, while dashboards.updatewidget and dashboards.removewidget filtered only on dashboard id and widget id, allowing any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55880.json",
    "cwe_ids": [
        "CWE-639"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/openreplay/openreplay

Affected ranges

Type
GIT
Repo
https://github.com/openreplay/openreplay
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.27.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.6.17
Other
argo
main-backup-20260505154404
main-backup-20260505161141
main-backup-20260506070441
main-backup-20260506134828
main-backup-20260506141435
main-backup-20260506143740
main-backup-20260506161841
main-backup-20260507172251
main-backup-20260511114059
main-backup-20260511114323
main-backup-20260511154612
or-argo-test
pre-v1.*
pre-v1.19.0
pre-v1.20.0
pre-v1.21.0
pre-v1.22.0
pre-v1.24.0
pre-v1.25.0
pre-v1.26.0
pre-v1.27.0
pre_v1.*
pre_v1.18.0
v.*
v.1.14.0
v0.*
v0.5.0
v1.*
v1.0.0
v1.1.0
v1.2.0
v1.26.0
v1.27.0
v1.3.0
v1.3.6
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55880.json"