Critical Vulnerabilities in Chainlit AI Framework Expose Sensitive Data and Enable Lateral Movement
Security researchers at Zafran Security have uncovered two high-severity vulnerabilities collectively dubbed ChainLeak in Chainlit, a widely used open-source AI framework for building conversational chatbots. The flaws, tracked as CVE-2026-22218 (CVSS 7.1) and CVE-2026-22219 (CVSS 8.3), could allow authenticated attackers to steal sensitive data, escalate privileges, and move laterally within compromised systems.
Key Vulnerabilities and Exploit Scenarios
-
CVE-2026-22218 (Arbitrary File Read)
- Affects the
/project/elementupdate flow due to insufficient validation of user-controlled fields. - Enables attackers to read any file accessible to the service, including system environment variables (
/proc/self/environ), which may contain API keys, credentials, and internal file paths. - If Chainlit uses SQLAlchemy with SQLite, attackers could also exfiltrate database files.
- Affects the
-
CVE-2026-22219 (Server-Side Request Forgery - SSRF)
- Exploitable when Chainlit is configured with the SQLAlchemy data layer backend.
- Allows attackers to send arbitrary HTTP requests to internal network services or cloud metadata endpoints (e.g., AWS EC2 IMDSv1 at
169.254.169.254). - If deployed on AWS EC2 with IMDSv1, this could lead to retrieving IAM role credentials, enabling further lateral movement within the cloud environment.
Zafran researchers warned that combining these flaws could collapse AI application security, turning a seemingly contained issue into full system compromise.
Impact and Adoption
- Chainlit has seen 7.3 million total downloads, with 220,000 in the past week alone, per Python Software Foundation data.
- The vulnerabilities were responsibly disclosed on November 23, 2025, and patched in Chainlit v2.9.4 (released December 24, 2025).
Broader AI Security Concerns
Zafran highlighted that as organizations rapidly adopt AI frameworks, traditional vulnerabilities (like SSRF and arbitrary file reads) are being embedded into AI infrastructure, creating new attack surfaces.
Parallel Discovery: Microsoft MarkItDown MCP Server Flaw
Separately, BlueRock disclosed an SSRF vulnerability (MCP fURI) in Microsoft’s MarkItDown Model Context Protocol (MCP) server, affecting AWS EC2 instances using IMDSv1. The flaw allows arbitrary URI calls, enabling:
- Privilege escalation via metadata service access.
- Data leakage through unrestricted URI requests.
- AWS credential theft if an IAM role is attached to the instance.
BlueRock’s analysis of 7,000 MCP servers found that 36.7% are likely exposed to similar SSRF risks. While mitigation steps (e.g., IMDSv2, private IP blocking, and allowlists) were suggested, the findings underscore persistent risks in AI and cloud-native environments.
Source: https://thehackernews.com/2026/01/chainlit-ai-framework-flaws-enable-data.html
Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security
"id": "MIC1769023724",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '7.3 million total downloads '
'(220,000 in the past week)',
'industry': 'Artificial Intelligence',
'name': 'Chainlit',
'type': 'Open-Source AI Framework'},
{'customers_affected': '36.7% of 7,000 analyzed MCP '
'servers',
'industry': 'Technology/Cloud Services',
'name': 'Microsoft MarkItDown MCP Server',
'type': 'AI Protocol Server'}],
'attack_vector': ['Authenticated Access',
'Server-Side Request Forgery (SSRF)',
'Arbitrary File Read'],
'data_breach': {'data_exfiltration': 'Possible via SSRF and arbitrary file '
'read',
'file_types_exposed': ['Database files (SQLite)',
'Environment files '
'(/proc/self/environ)',
'Internal configuration files'],
'personally_identifiable_information': 'Possible if stored in '
'exposed files',
'sensitivity_of_data': 'High (credentials, PII, cloud '
'metadata)',
'type_of_data_compromised': ['API keys',
'Credentials',
'Database files',
'IAM role credentials',
'Environment variables']},
'date_detected': '2025-11-23',
'date_resolved': '2025-12-24',
'description': 'Security researchers at Zafran Security uncovered two '
'high-severity vulnerabilities (CVE-2026-22218 and '
'CVE-2026-22219) in Chainlit, an open-source AI framework for '
'building conversational chatbots. The flaws allow '
'authenticated attackers to steal sensitive data, escalate '
'privileges, and move laterally within compromised systems. '
'The vulnerabilities were patched in Chainlit v2.9.4.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in AI '
'frameworks and cloud security',
'data_compromised': ['API keys',
'Credentials',
'Internal file paths',
'Database files',
'IAM role credentials'],
'identity_theft_risk': 'High (if PII or credentials are exposed)',
'operational_impact': 'Potential full system compromise and '
'lateral movement within cloud environments',
'systems_affected': ['Chainlit AI Framework',
'AWS EC2 instances with IMDSv1']},
'investigation_status': 'Resolved (patches released)',
'lessons_learned': 'Traditional vulnerabilities (SSRF, arbitrary file reads) '
'are being embedded into AI infrastructure, creating new '
'attack surfaces. Rapid adoption of AI frameworks requires '
'heightened security scrutiny.',
'post_incident_analysis': {'corrective_actions': ['Patch vulnerabilities '
'(CVE-2026-22218, '
'CVE-2026-22219)',
'Enforce IMDSv2 for AWS EC2 '
'instances',
'Implement allowlists for '
'URI requests in MCP '
'servers'],
'root_causes': ['Insufficient validation of '
'user-controlled fields in '
"Chainlit's `/project/element` "
'update flow',
'Lack of SSRF protections in '
"Chainlit's SQLAlchemy data layer "
'backend',
'Use of IMDSv1 in AWS EC2 '
'instances']},
'recommendations': ['Upgrade Chainlit to v2.9.4 or later',
'Migrate AWS EC2 instances from IMDSv1 to IMDSv2',
'Implement allowlists for URI requests in MCP servers',
'Block private IP access to internal services',
'Conduct regular security audits of AI frameworks and '
'cloud configurations'],
'references': [{'source': 'Zafran Security'},
{'source': 'BlueRock'},
{'source': 'Python Software Foundation (download statistics)'}],
'response': {'communication_strategy': 'Responsible disclosure by Zafran '
'Security',
'containment_measures': 'Patch released (Chainlit v2.9.4)',
'remediation_measures': ['Upgrade to Chainlit v2.9.4',
'Enable IMDSv2 for AWS EC2',
'Block private IP access',
'Implement allowlists for URI requests'],
'third_party_assistance': 'Zafran Security, BlueRock'},
'title': 'Critical Vulnerabilities in Chainlit AI Framework Expose Sensitive '
'Data and Enable Lateral Movement',
'type': ['Data Breach', 'Privilege Escalation', 'Lateral Movement'],
'vulnerability_exploited': ['CVE-2026-22218 (CVSS 7.1)',
'CVE-2026-22219 (CVSS 8.3)']}