Executive Summary
A critical stored cross-site scripting (XSS) vulnerability in OpenReplay, a popular open-source self-hosted session replay platform, allows unauthenticated attackers to inject malicious JavaScript into the admin dashboard. Tracked as CVE-2026-55879 with a CVSS score of 9.3, the flaw enables full account takeover of authenticated dashboard users, including theft of session tokens and administrative credentials.
CVSS Score: 9.3 (Critical)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Vulnerability Overview
Root Cause
OpenReplay's JavaScript tracking SDK accepts custom event names and captured page URLs submitted by any visitor using a public project key. These inputs are passed directly to the backend, stored without sanitization in ClickHouse (OpenReplay's data store), and subsequently rendered unsanitized within the authenticated admin replay dashboard.
This creates a classic stored XSS pathway: an unauthenticated attacker poisons the backend via the public-facing SDK, then waits for an authenticated dashboard user to trigger payload execution during session review.
Attack Flow
- Attacker identifies an OpenReplay-instrumented application and its public project key (exposed client-side by design)
- Attacker crafts a malicious session with a custom event name or page URL containing an XSS payload
- Payload is stored in ClickHouse via the public ingestion API — no authentication required
- Dashboard user reviews the poisoned session replay — the malicious script executes in the admin origin context
- Attacker receives the victim's session JWT (extracted from
localStorage) and gains full dashboard access
Why It's Critical
- No authentication required to inject the payload
- Scope is changed (
S:C): impact extends beyond the vulnerable component to the entire admin dashboard origin - High confidentiality and integrity impact: session token theft leads to full account takeover
- Any organization running OpenReplay 1.24.x and reviewing session replays is at risk
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| OpenReplay (self-hosted) | >= 1.24.0, < 1.25.0 | 1.25.0 |
Cloud-hosted OpenReplay.com deployments are managed by the vendor and should be updated automatically.
Patch and Mitigation
Immediate Action
Upgrade to OpenReplay 1.25.0 immediately. The fix introduces proper input sanitization and output encoding for custom event names and page URLs before storage and rendering.
# Check your current OpenReplay version
cat /var/www/openreplay/scripts/helmcharts/openreplay/Chart.yaml | grep appVersionInterim Workaround
No documented workaround exists. If immediate upgrade is not possible:
- Restrict access to the admin dashboard by IP allowlist at the network/reverse proxy level
- Pause session review of incoming sessions until the upgrade is applied
- Monitor for unexpected outbound requests from dashboard sessions, which may indicate active exploitation
Indicators of Compromise
Watch for the following suspicious patterns in OpenReplay event data:
- Custom event names containing
<script>,javascript:,onerror=, or HTML event handler attributes - Page URLs with encoded or obfuscated XSS payloads
- Unusual dashboard administrator session activity, especially from unexpected IP addresses or user agents
- Unexpected API calls or external resource loads triggered during session replay viewing
Timeline
| Date | Event |
|---|---|
| 2026-07-xx | Vulnerability reported to OpenReplay security team |
| 2026-07-11 | CVE-2026-55879 published (NVD) |
| 2026-07-11 | OpenReplay 1.25.0 released with fix |
Recommendations
- Update now: Upgrade to OpenReplay 1.25.0 immediately
- Audit logs: Review recent dashboard access logs for unauthorized session activity
- Rotate credentials: Reset passwords and invalidate active sessions for all dashboard users
- Restrict exposure: Ensure the OpenReplay ingestion endpoint is not unnecessarily exposed without rate limiting