Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28443

CVE-2026-28443: OpenReplay SQL Injection Vulnerability

CVE-2026-28443 is a SQL injection flaw in OpenReplay's POST endpoint that allows attackers to manipulate database queries. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-28443 Overview

OpenReplay, a self-hosted session replay suite, contains a SQL injection vulnerability in versions prior to 1.20.0. The vulnerability exists in the POST /{projectId}/cards/search endpoint, specifically within the sort.field parameter, which fails to properly sanitize user input before incorporating it into SQL queries.

Critical Impact

Attackers can exploit this SQL injection vulnerability to manipulate database queries, potentially leading to unauthorized data access, data modification, or extraction of sensitive information from the OpenReplay database.

Affected Products

  • OpenReplay versions prior to 1.20.0

Discovery Timeline

  • 2026-03-05 - CVE CVE-2026-28443 published to NVD
  • 2026-03-05 - Last updated in NVD database

Technical Details for CVE-2026-28443

Vulnerability Analysis

This SQL injection vulnerability (CWE-89) affects the card search functionality in OpenReplay. The sort.field parameter in the POST /{projectId}/cards/search endpoint does not properly validate or sanitize input before constructing SQL queries. This allows an attacker to inject arbitrary SQL commands that will be executed by the database engine.

The vulnerability is network-accessible without requiring authentication, which increases the potential attack surface. However, the impact is limited to integrity violations according to the vulnerability assessment, suggesting that while data modification is possible, confidentiality and availability impacts may be constrained by the application's database permissions or query structure.

Root Cause

The root cause of this vulnerability is improper input validation in the sort.field parameter. When processing search requests for cards within a project, the application directly incorporates user-supplied sorting field values into SQL queries without adequate sanitization or parameterization. This classic SQL injection pattern occurs when dynamic query construction trusts untrusted input.

Attack Vector

The attack vector is network-based, requiring an attacker to send a specially crafted HTTP POST request to the vulnerable endpoint. The attacker can manipulate the sort.field parameter in the request body to inject malicious SQL code. Since the vulnerability does not require authentication based on the CVSS assessment, any network-accessible attacker could potentially exploit this endpoint.

An attacker would craft a malicious payload in the sort.field parameter that breaks out of the intended SQL context and injects additional SQL commands. Common exploitation techniques include UNION-based injection to extract data from other tables, or time-based blind injection to infer database contents.

For technical details on exploitation patterns, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-28443

Indicators of Compromise

  • Anomalous POST requests to /{projectId}/cards/search endpoints containing SQL syntax characters in the sort.field parameter
  • Database error messages in application logs indicating SQL syntax errors from the cards search functionality
  • Unusual database queries originating from the OpenReplay application with unexpected sorting clauses
  • Evidence of data exfiltration attempts through UNION-based or time-based SQL injection techniques

Detection Strategies

  • Implement web application firewall (WAF) rules to detect SQL injection patterns in request parameters targeting the cards search endpoint
  • Monitor application logs for SQL-related error messages that may indicate injection attempts
  • Deploy database activity monitoring to identify anomalous query patterns from the OpenReplay application
  • Configure intrusion detection systems to alert on requests containing common SQL injection payloads

Monitoring Recommendations

  • Enable detailed logging for all requests to the /{projectId}/cards/search endpoint
  • Set up alerts for HTTP 500 errors or database errors originating from the affected endpoint
  • Monitor database query logs for queries containing unexpected SQL keywords in sorting clauses
  • Implement rate limiting on the vulnerable endpoint to slow potential automated exploitation attempts

How to Mitigate CVE-2026-28443

Immediate Actions Required

  • Upgrade OpenReplay to version 1.20.0 or later immediately
  • If immediate upgrade is not possible, consider temporarily disabling or restricting access to the /{projectId}/cards/search endpoint
  • Review application and database logs for signs of prior exploitation
  • Implement network-level access controls to limit exposure of the OpenReplay instance

Patch Information

The vulnerability has been addressed in OpenReplay version 1.20.0. Organizations running affected versions should upgrade to 1.20.0 or later to remediate this SQL injection vulnerability. The patch information is available through the GitHub Security Advisory.

Workarounds

  • Deploy a web application firewall (WAF) with SQL injection detection rules to filter malicious requests targeting the vulnerable endpoint
  • Implement network segmentation to restrict access to the OpenReplay instance to trusted networks only
  • Configure reverse proxy rules to validate and sanitize the sort.field parameter before requests reach the application
  • Disable or restrict access to the cards search functionality if it is not critical to operations until patching is complete

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne