CVE-2026-57230: OpenReplay is a self-hosted session replay suite. Prior to 1.27.0, the session search and analytics API in enterprise editions with multi-tenancy enabled built ClickHouse queries b
OpenReplay is a self-hosted session replay suite. Prior to 1.27.0, the session search and analytics API in enterprise editions with multi-tenancy enabled built ClickHouse queries by inserting user input into the query string, including two positions that took input without escaping, allowing an authenticated member to read any ClickHouse table through blind boolean and time-based exfiltration and to break the project's session search for all viewers until the stored key is removed. This issue is fixed in version 1.27.0.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-57230
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-57230 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for OpenReplay is a
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-55881: OpenReplay is a self-hosted session replay suite. From 1.22.0 before 1.27.0, getFirstMob retur…nvd · 2026-07-10
- highCVE-2026-55880: OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and n…nvd · 2026-07-10
- criticalCVE-2026-55879: OpenReplay is a self-hosted session replay suite. From 1.24.0 before 1.25.0, the OpenReplay tr…nvd · 2026-07-10
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11