OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app_apikey routes that trust a caller-provided projec…

OpenReplay, a self-hosted session replay suite, contains an authorization vulnerability in versions prior to 1.26.0. The Python API's app_apikey routes improperly validate projectKey parameters, only checking API key validity and project existence without verifying tenant ownership. This flaw allows attackers with valid API keys to target other tenants' projects using exposed projectKey values from browser-side code. Attackers can enumerate victim user sessions and retrieve sensitive session event data across tenant boundaries. The vulnerability enables cross-tenant data access in multi-tenant OpenReplay deployments. This issue has been fixed in version 1.26.0.