Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-56104
PUBLISHED
More InfoOfficial Page
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
View Known Exploited Vulnerability (KEV) details
Published At-22 Jun, 2026 | 14:17
Updated At-23 Jun, 2026 | 14:42
Rejected At-
▼CVE Numbering Authority (CNA)
Chainlit < 2.10.1 Session Hijacking via WebSocket Session Restoration

Chainlit before 2.10.1 contains a session hijacking vulnerability that allows unauthenticated attackers to restore and inherit authenticated user sessions by presenting a valid sessionId during WebSocket session restoration without ownership verification. Attackers can exploit the restore_existing_session path to assume a victim's permissions and roles, enabling unauthorized invocation of tools and access to data restricted to the authenticated victim.

Affected Products
Vendor
Chainlit
Product
chainlit
Repo
https://github.com/Chainlit/chainlit
Default Status
affected
Versions
Affected
  • From 0 before 2.10.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-862Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: Missing Authorization
Metrics
VersionBase scoreBase severityVector
4.08.8HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
3.18.2HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Version: 4.0
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Tanguy Snoeck
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/Chainlit/chainlit/releases/tag/2.10.1
release-notes
https://github.com/Chainlit/chainlit/pull/2857
issue-tracking
https://github.com/Chainlit/chainlit/commit/5effb664f1e0af4a4f0a42fe63ea979676039a7f
patch
https://www.vulncheck.com/advisories/chainlit-session-hijacking-via-websocket-session-restoration
third-party-advisory
Hyperlink: https://github.com/Chainlit/chainlit/releases/tag/2.10.1
Resource:
release-notes
Hyperlink: https://github.com/Chainlit/chainlit/pull/2857
Resource:
issue-tracking
Hyperlink: https://github.com/Chainlit/chainlit/commit/5effb664f1e0af4a4f0a42fe63ea979676039a7f
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/chainlit-session-hijacking-via-websocket-session-restoration
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Details not found