CVE-2026-56104
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
Chainlit before 2.10.1 contains a session hijacking vulnerability that allows unauthenticated attackers to restore and inherit authenticated user sessions by presenting a valid sessionId during WebSocket session restoration without ownership verification.
Risk Assessment
Attackers can exploit this vulnerability to assume a victim's permissions and roles, enabling unauthorized invocation of tools and access to data restricted to the authenticated victim.
Recommendation
It is recommended to update Chainlit to version 2.10.1 or later to mitigate this vulnerability and implement additional session verification mechanisms.
Original NVD description (English source)
Chainlit before 2.10.1 contains a session hijacking vulnerability that allows unauthenticated attackers to restore and inherit authenticated user sessions by presenting a valid sessionId during WebSocket session restoration without ownership verification. Attackers can exploit the restore_existing_session path to assume a victim's permissions and roles, enabling unauthorized invocation of tools and access to data restricted to the authenticated victim.

