Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1845+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-55879: OpenReplay Stored XSS Enables Dashboard Account Takeover
CVE-2026-55879: OpenReplay Stored XSS Enables Dashboard Account Takeover

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-55879

CVE-2026-55879: OpenReplay Stored XSS Enables Dashboard Account Takeover

A critical stored XSS vulnerability in OpenReplay's session replay SDK allows unauthenticated attackers to inject malicious scripts via the public tracking API, hijacking authenticated admin sessions.

Dylan H.

Security Team

July 11, 2026
3 min read

Affected Products

  • OpenReplay >= 1.24.0 and < 1.25.0 (self-hosted)

Executive Summary

A critical stored cross-site scripting (XSS) vulnerability in OpenReplay, a popular open-source self-hosted session replay platform, allows unauthenticated attackers to inject malicious JavaScript into the admin dashboard. Tracked as CVE-2026-55879 with a CVSS score of 9.3, the flaw enables full account takeover of authenticated dashboard users, including theft of session tokens and administrative credentials.

CVSS Score: 9.3 (Critical)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N


Vulnerability Overview

Root Cause

OpenReplay's JavaScript tracking SDK accepts custom event names and captured page URLs submitted by any visitor using a public project key. These inputs are passed directly to the backend, stored without sanitization in ClickHouse (OpenReplay's data store), and subsequently rendered unsanitized within the authenticated admin replay dashboard.

This creates a classic stored XSS pathway: an unauthenticated attacker poisons the backend via the public-facing SDK, then waits for an authenticated dashboard user to trigger payload execution during session review.

Attack Flow

  1. Attacker identifies an OpenReplay-instrumented application and its public project key (exposed client-side by design)
  2. Attacker crafts a malicious session with a custom event name or page URL containing an XSS payload
  3. Payload is stored in ClickHouse via the public ingestion API — no authentication required
  4. Dashboard user reviews the poisoned session replay — the malicious script executes in the admin origin context
  5. Attacker receives the victim's session JWT (extracted from localStorage) and gains full dashboard access

Why It's Critical

  • No authentication required to inject the payload
  • Scope is changed (S:C): impact extends beyond the vulnerable component to the entire admin dashboard origin
  • High confidentiality and integrity impact: session token theft leads to full account takeover
  • Any organization running OpenReplay 1.24.x and reviewing session replays is at risk

Affected Versions

ProductAffected VersionsFixed Version
OpenReplay (self-hosted)>= 1.24.0, < 1.25.01.25.0

Cloud-hosted OpenReplay.com deployments are managed by the vendor and should be updated automatically.


Patch and Mitigation

Immediate Action

Upgrade to OpenReplay 1.25.0 immediately. The fix introduces proper input sanitization and output encoding for custom event names and page URLs before storage and rendering.

# Check your current OpenReplay version
cat /var/www/openreplay/scripts/helmcharts/openreplay/Chart.yaml | grep appVersion

Interim Workaround

No documented workaround exists. If immediate upgrade is not possible:

  • Restrict access to the admin dashboard by IP allowlist at the network/reverse proxy level
  • Pause session review of incoming sessions until the upgrade is applied
  • Monitor for unexpected outbound requests from dashboard sessions, which may indicate active exploitation

Indicators of Compromise

Watch for the following suspicious patterns in OpenReplay event data:

  • Custom event names containing <script>, javascript:, onerror=, or HTML event handler attributes
  • Page URLs with encoded or obfuscated XSS payloads
  • Unusual dashboard administrator session activity, especially from unexpected IP addresses or user agents
  • Unexpected API calls or external resource loads triggered during session replay viewing

Timeline

DateEvent
2026-07-xxVulnerability reported to OpenReplay security team
2026-07-11CVE-2026-55879 published (NVD)
2026-07-11OpenReplay 1.25.0 released with fix

Recommendations

  1. Update now: Upgrade to OpenReplay 1.25.0 immediately
  2. Audit logs: Review recent dashboard access logs for unauthorized session activity
  3. Rotate credentials: Reset passwords and invalidate active sessions for all dashboard users
  4. Restrict exposure: Ensure the OpenReplay ingestion endpoint is not unnecessarily exposed without rate limiting

References

  • NVD — CVE-2026-55879
  • OpenReplay GitHub Repository
  • CWE-79: Improper Neutralization of Input During Web Page Generation (XSS)
#CVE-2026-55879#OpenReplay#XSS#Stored XSS#Session Replay#Account Takeover

Related Articles

CVE-2026-2342: ValeApp Stored Cross-Site Scripting (CVSS 9.3)

A critical stored XSS vulnerability in OceanicSoft's ValeApp allows attackers to inject persistent JavaScript payloads that execute in every victim's browser, enabling session hijacking, credential theft, and account takeover at scale.

5 min read

CVE-2026-36748: High-Severity Stored XSS in RockRMS via Social Media Profile Links

RockRMS versions up to v16.13 are vulnerable to a CVSS 9.0 stored cross-site scripting flaw that allows attackers to inject malicious scripts through social…

2 min read

CVE-2026-44212: PrestaShop Stored XSS in Customer Service

A stored Cross-Site Scripting vulnerability (CVSS 9.3) in PrestaShop's back-office Customer Service view allows unauthenticated attackers to inject...

5 min read
Back to all Security Alerts