How is CVE-2026-56104 exploited?

Network reachability (required): The attacker must reach the Chainlit WebSocket endpoint over the network; the service must be accessible from the attacker's origin. Authentication (not-required): No credentials or account are required; the attacker only needs a valid session ID belonging to another user. Victim interaction (not-required): The attacker exploits the restore path directly without any action required from the victim at exploit time. Attack complexity (info): Exploitation requires the attacker to first obtain a valid session ID through a separate means (e.g., network interception or leakage), adding an environmental prerequisite before the hijack step.

What is the impact of CVE-2026-56104?

The attacker reads all data accessible to the hijacked session, including conversation history, tool outputs, and any files or records the victim's role can retrieve. The attacker invokes tools and backend actions with the victim's full permissions, allowing creation, modification, or deletion of resources the victim is authorized to change. Session continuity for the legitimate victim is disrupted, as the restored session can be consumed or manipulated by the attacker.

Back to search

HIGHCVE-2026-56104Published 2026-06-22Modified 2026-06-23CNA VulnCheck

CVE-2026-56104: Chainlit < 2.10.1 Session Hijacking via WebSocket Session Restoration

Q: What is CVE-2026-56104?

This is a session hijacking vulnerability in Chainlit, the open-source Python framework for building chat-model interfaces. An unauthenticated attacker who obtains a valid session ID can present it during the WebSocket session restoration handshake and take over the corresponding authenticated user session, because the server does not verify that the requester owns the session. Successful exploitation gives the attacker full access to the victim's permissions, roles, tool invocations, and any data the victim's session can reach. A patched-image rebuild at version 2.10.1 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-56104 fixed?

A patched-image rebuild at Chainlit 2.10.1 is available for any image HarborGuard identifies as running an affected version. For customers who opt into auto-remediation, HarborGuard can execute the rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads without manual intervention.

Chainlit before 2.10.1 contains a session hijacking vulnerability that allows unauthenticated attackers to restore and inherit authenticated user sessions by presenting a valid sessionId during WebSocket session restoration without ownership verification. Attackers can exploit the restore_existing_session path to assume a victim's permissions and roles, enabling unauthorized invocation of tools and access to data restricted to the authenticated victim.

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: 2.10.1
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a session hijacking vulnerability in Chainlit, the open-source Python framework for building chat-model interfaces. An unauthenticated attacker who obtains a valid session ID can present it during the WebSocket session restoration handshake and take over the corresponding authenticated user session, because the server does not verify that the requester owns the session. Successful exploitation gives the attacker full access to the victim's permissions, roles, tool invocations, and any data the victim's session can reach. A patched-image rebuild at version 2.10.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-56104 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Chainlit, in both registry scans and active CI pipeline checks.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.1 Critical and weighting it against each customer's per-environment compliance policy to determine breach of SLA thresholds. Triage routing to the appropriate team inbox within each customer organization is available automatically once a policy is configured.

Available

Patch

A patched-image rebuild at Chainlit 2.10.1 is available for any image HarborGuard identifies as running an affected version. For customers who opt into auto-remediation, HarborGuard can execute the rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Chainlit WebSocket endpoint over the network; the service must be accessible from the attacker's origin.
AuthenticationNot required
No credentials or account are required; the attacker only needs a valid session ID belonging to another user.
Victim interactionNot required
The attacker exploits the restore path directly without any action required from the victim at exploit time.
Attack complexityDetail
Exploitation requires the attacker to first obtain a valid session ID through a separate means (e.g., network interception or leakage), adding an environmental prerequisite before the hijack step.

Blast Radius

The attacker reads all data accessible to the hijacked session, including conversation history, tool outputs, and any files or records the victim's role can retrieve.
The attacker invokes tools and backend actions with the victim's full permissions, allowing creation, modification, or deletion of resources the victim is authorized to change.
Session continuity for the legitimate victim is disrupted, as the restored session can be consumed or manipulated by the attacker.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image containing Chainlit below 2.10.1, covering both pulled public images and internally built images that vendor the package. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image at version 2.10.1, run a regression test pass, and open a PR against impacted workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image candidate is staged and surfaced in the HarborGuard dashboard pending sign-off. Because the vulnerability lies in WebSocket session restoration logic with no authentication gate, teams unable to patch immediately should consider placing the Chainlit service behind a network policy that restricts WebSocket access to known trusted origins, applying egress filtering to limit lateral reach if a session is hijacked, and auditing session ID generation and transmission paths for exposure points.

See how HarborGuard automates this

Fix available

2.10.1

Patch commits

Patch Commit

Affected packages

Chainlit / chainlit
< 2.10.1 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available