CVE Catalog

CVE-2026-56104

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

21th percentile - higher than 21% of all known CVEs

Summary

Chainlit before 2.10.1 contains a session hijacking vulnerability that allows unauthenticated attackers to restore and inherit authenticated user sessions by presenting a valid sessionId during WebSocket session restoration without ownership verification.

Risk Assessment

Attackers can exploit this vulnerability to assume a victim's permissions and roles, enabling unauthorized invocation of tools and access to data restricted to the authenticated victim.

Recommendation

It is recommended to update Chainlit to version 2.10.1 or later to mitigate this vulnerability and implement additional session verification mechanisms.

Original NVD description (English source)

Chainlit before 2.10.1 contains a session hijacking vulnerability that allows unauthenticated attackers to restore and inherit authenticated user sessions by presenting a valid sessionId during WebSocket session restoration without ownership verification. Attackers can exploit the restore_existing_session path to assume a victim's permissions and roles, enabling unauthorized invocation of tools and access to data restricted to the authenticated victim.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS