Chainlit before 2.10.1 contains a session hijacking vulnerability that allows unauthenticated attackers to restore and inherit authenticated user sessions by presenting a valid sessionId during WebSocket session restoration without ownership verification. Attackers can exploit the restore_existing_session path to assume a victim's permissions and roles, enabling unauthorized invocation of tools and access to data restricted to the authenticated victim.
References
Configurations
No configuration.
History
23 Jun 2026, 16:17
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.2 |
22 Jun 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-22 16:16
Updated : 2026-07-14 22:17
NVD link : CVE-2026-56104
Mitre link : CVE-2026-56104
CVE.ORG link : CVE-2026-56104
JSON object : View
Products Affected
No product.
CWE
CWE-862
Missing Authorization
