CVE-2026-56104

Chainlit before 2.10.1 contains a session hijacking vulnerability that allows unauthenticated attackers to restore and inherit authenticated user sessions by presenting a valid sessionId during WebSocket session restoration without ownership verification. Attackers can exploit the restore_existing_session path to assume a victim's permissions and roles, enabling unauthorized invocation of tools and access to data restricted to the authenticated victim.
Configurations

No configuration.

History

23 Jun 2026, 16:17

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.4
v2 : unknown
v3 : 8.2

22 Jun 2026, 16:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-22 16:16

Updated : 2026-07-14 22:17


NVD link : CVE-2026-56104

Mitre link : CVE-2026-56104

CVE.ORG link : CVE-2026-56104


JSON object : View

Products Affected

No product.

CWE
CWE-862

Missing Authorization