CVE-2026-56104

Name of the Vulnerable Software and Affected Versions Chainlit versions prior to 2.10.1

Description An issue exists where unauthenticated attackers can restore and inherit authenticated user sessions. This occurs during WebSocket session restoration when a valid sessionId is presented without ownership verification via the 'restore existing session' path. Successful exploitation allows an attacker to assume a victim's permissions and roles, leading to unauthorized access to restricted data and the ability to invoke tools.

Recommendations Update to version 2.10.1 or later.