OpenReplay: Authenticated ClickHouse SQL injection in session search

Advisory ID: TP-2026-026
Product: OpenReplay (session replay and product analytics platform)
Vulnerability type: Authenticated SQL injection (CWE-89)
CVE: CVE-2026-57230
CVSS 3.1: 5.4 (Medium) · CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:L
Affected versions: < 1.27.0
Fixed in: 1.27.0
Vendor advisory: GHSA-vxf8-j7jx-p65x
Reported: 29 May 2026

Summary

OpenReplay is a session replay and product analytics platform. The session search and its analytics API insert user input unescaped into the ClickHouse query in two positions: the value of the search filter name and a previously stored metadata key. A logged-in member can use this to run blind boolean and time-based SQL injection, read arbitrary ClickHouse tables and thereby access the analytics data of all projects. Through the stored metadata key the payload also acts persistently and disrupts session search for every viewer. turingpoint verified the flow and reported it responsibly; the vendor fixed it in 1.27.0.

Proof of Concept

Schematic (logged-in member), time-based blind injection through the search filter name:

POST /api/{projectId}/sessions/search
{
  "filters": [
    { "type": "name", "value": ["' OR sleep(3) -- "] }
  ]
}

-> response time increases by ~3 s per matched row (oracle for blind extraction).

The second sink is a stored metadata key: when it is later interpolated into the search/analytics query, the embedded SQL runs again with no further attacker interaction (persistent). Because the missing escaping step affects both positions, a single '-bearing input is enough to break out of the filter context.

References

• GHSA-vxf8-j7jx-p65x
• CVE-2026-57230
• Fix release: OpenReplay v1.27.0