Skip to main content

Chainlit EUVDEUVD-2026-38285

| CVE-2026-56104 HIGH
Missing Authorization (CWE-862)
2026-06-22 VulnCheck GHSA-c39v-8hrw-h448
8.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.8 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.7 HIGH

Network-reachable WebSocket, no attacker auth (PR:N) but requires obtaining a valid sessionId (AC:H); scope changes as attacker gains victim's identity/permissions; no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 23, 2026 - 17:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 17:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 17:07 vuln.today
cvss_changed
Severity Changed
Jun 23, 2026 - 17:07 NVD
CRITICAL HIGH
CVSS changed
Jun 23, 2026 - 17:07 NVD
9.1 (CRITICAL) 8.8 (HIGH)
Source Code Evidence Fetched
Jun 22, 2026 - 16:02 vuln.today
Analysis Generated
Jun 22, 2026 - 16:02 vuln.today

DescriptionCVE.org

Chainlit before 2.10.1 contains a session hijacking vulnerability that allows unauthenticated attackers to restore and inherit authenticated user sessions by presenting a valid sessionId during WebSocket session restoration without ownership verification. Attackers can exploit the restore_existing_session path to assume a victim's permissions and roles, enabling unauthorized invocation of tools and access to data restricted to the authenticated victim.

AnalysisAI

Session hijacking in Chainlit before 2.10.1 allows remote attackers with a valid victim sessionId to inherit an authenticated user's session via the WebSocket restore_existing_session path, which fails to verify session ownership. Successful exploitation grants the attacker the victim's roles and permissions, enabling unauthorized tool invocation and access to restricted data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Chainlit instance
Delivery
Obtain victim sessionId via leak or interception
Exploit
Open WebSocket connection
Execution
Invoke restore_existing_session with sessionId
Persist
Inherit victim's authenticated identity
Impact
Invoke privileged tools and exfiltrate data

Vulnerability AssessmentAI

Exploitation Attacker must possess a valid, currently-active sessionId belonging to an authenticated Chainlit user and must be able to reach the Chainlit WebSocket endpoint over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 8.8 reflects network reach with high confidentiality and integrity impact on both the vulnerable and a subsequent system (the connected backend tools and data), but AC:H and PR:L indicate exploitation is non-trivial and requires the attacker to first obtain a valid victim sessionId - for example via log leakage, referrer exposure, XSS, or network interception. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains a valid Chainlit sessionId for an authenticated user - for example from a leaked browser log, a shared screenshot, an HTTP referrer, or a network capture - opens a WebSocket connection and invokes the restore_existing_session path with that sessionId. Chainlit rebinds the existing authenticated identity to the attacker's socket, allowing them to invoke tools and read data as the victim. …
Remediation Vendor-released patch: upgrade Chainlit to 2.10.1 or later (https://github.com/Chainlit/chainlit/releases/tag/2.10.1), which adds session-ownership validation on WebSocket restore via PR #2857 (commit 5effb664f1e0af4a4f0a42fe63ea979676039a7f). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Chainlit deployments, identify current versions, and determine criticality of systems running vulnerable versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy