CVE-2026-28443 Overview
OpenReplay, a self-hosted session replay suite, contains a SQL injection vulnerability in versions prior to 1.20.0. The vulnerability exists in the POST /{projectId}/cards/search endpoint, specifically within the sort.field parameter, which fails to properly sanitize user input before incorporating it into SQL queries.
Critical Impact
Attackers can exploit this SQL injection vulnerability to manipulate database queries, potentially leading to unauthorized data access, data modification, or extraction of sensitive information from the OpenReplay database.
Affected Products
- OpenReplay versions prior to 1.20.0
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28443 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28443
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) affects the card search functionality in OpenReplay. The sort.field parameter in the POST /{projectId}/cards/search endpoint does not properly validate or sanitize input before constructing SQL queries. This allows an attacker to inject arbitrary SQL commands that will be executed by the database engine.
The vulnerability is network-accessible without requiring authentication, which increases the potential attack surface. However, the impact is limited to integrity violations according to the vulnerability assessment, suggesting that while data modification is possible, confidentiality and availability impacts may be constrained by the application's database permissions or query structure.
Root Cause
The root cause of this vulnerability is improper input validation in the sort.field parameter. When processing search requests for cards within a project, the application directly incorporates user-supplied sorting field values into SQL queries without adequate sanitization or parameterization. This classic SQL injection pattern occurs when dynamic query construction trusts untrusted input.
Attack Vector
The attack vector is network-based, requiring an attacker to send a specially crafted HTTP POST request to the vulnerable endpoint. The attacker can manipulate the sort.field parameter in the request body to inject malicious SQL code. Since the vulnerability does not require authentication based on the CVSS assessment, any network-accessible attacker could potentially exploit this endpoint.
An attacker would craft a malicious payload in the sort.field parameter that breaks out of the intended SQL context and injects additional SQL commands. Common exploitation techniques include UNION-based injection to extract data from other tables, or time-based blind injection to infer database contents.
For technical details on exploitation patterns, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-28443
Indicators of Compromise
- Anomalous POST requests to /{projectId}/cards/search endpoints containing SQL syntax characters in the sort.field parameter
- Database error messages in application logs indicating SQL syntax errors from the cards search functionality
- Unusual database queries originating from the OpenReplay application with unexpected sorting clauses
- Evidence of data exfiltration attempts through UNION-based or time-based SQL injection techniques
Detection Strategies
- Implement web application firewall (WAF) rules to detect SQL injection patterns in request parameters targeting the cards search endpoint
- Monitor application logs for SQL-related error messages that may indicate injection attempts
- Deploy database activity monitoring to identify anomalous query patterns from the OpenReplay application
- Configure intrusion detection systems to alert on requests containing common SQL injection payloads
Monitoring Recommendations
- Enable detailed logging for all requests to the /{projectId}/cards/search endpoint
- Set up alerts for HTTP 500 errors or database errors originating from the affected endpoint
- Monitor database query logs for queries containing unexpected SQL keywords in sorting clauses
- Implement rate limiting on the vulnerable endpoint to slow potential automated exploitation attempts
How to Mitigate CVE-2026-28443
Immediate Actions Required
- Upgrade OpenReplay to version 1.20.0 or later immediately
- If immediate upgrade is not possible, consider temporarily disabling or restricting access to the /{projectId}/cards/search endpoint
- Review application and database logs for signs of prior exploitation
- Implement network-level access controls to limit exposure of the OpenReplay instance
Patch Information
The vulnerability has been addressed in OpenReplay version 1.20.0. Organizations running affected versions should upgrade to 1.20.0 or later to remediate this SQL injection vulnerability. The patch information is available through the GitHub Security Advisory.
Workarounds
- Deploy a web application firewall (WAF) with SQL injection detection rules to filter malicious requests targeting the vulnerable endpoint
- Implement network segmentation to restrict access to the OpenReplay instance to trusted networks only
- Configure reverse proxy rules to validate and sanitize the sort.field parameter before requests reach the application
- Disable or restrict access to the cards search functionality if it is not critical to operations until patching is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
