Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 23 Jun 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
cvssV3_1
|
Mon, 22 Jun 2026 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Chainlit
Chainlit chainlit |
|
| Vendors & Products |
Chainlit
Chainlit chainlit |
Mon, 22 Jun 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 22 Jun 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Chainlit before 2.10.1 contains a session hijacking vulnerability that allows unauthenticated attackers to restore and inherit authenticated user sessions by presenting a valid sessionId during WebSocket session restoration without ownership verification. Attackers can exploit the restore_existing_session path to assume a victim's permissions and roles, enabling unauthorized invocation of tools and access to data restricted to the authenticated victim. | |
| Title | Chainlit < 2.10.1 Session Hijacking via WebSocket Session Restoration | |
| Weaknesses | CWE-862 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-23T14:42:38.931Z
Reserved: 2026-06-18T19:15:10.650Z
Link: CVE-2026-56104
Updated: 2026-06-22T16:06:44.839Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-06-24T11:45:02Z