Session Hijacking Vulnerability in Chainlit Software by Chainlit
CVE-2026-56104

9.1CRITICAL

Key Information:

Vendor

Chainlit

Status
Chainlit
Vendor
CVE Published:
22 June 2026

What is CVE-2026-56104?

Chainlit prior to version 2.10.1 is vulnerable to session hijacking, which permits attackers to exploit the WebSocket session restoration process. By providing a valid sessionId, an untrusted entity can reclaim an authenticated user's session without necessary ownership checks. This vulnerability allows attackers to gain unauthorized access to the victim's permissions and sensitive data, making it imperative for users to update to the latest version to mitigate risks.

Affected Version(s)

chainlit 0

References

https://github.com/Chainlit/chainlit/releases/tag/2.10.1
release-notes
https://github.com/Chainlit/chainlit/pull/2857
issue-tracking
https://github.com/Chainlit/chainlit/commit/5effb664f1e0a...
patch

CVSS V4

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tanguy Snoeck
.