Chainlit: Chainlit AI framework bugs let hackers breach cloud environments

Critical Vulnerabilities in Chainlit Framework Expose AI Systems to Data Theft and Server Compromise

Researchers at Zafran Labs have uncovered two high-severity vulnerabilities in Chainlit, a widely used open-source framework for building conversational AI applications. The flaws, dubbed ChainLeak, enable attackers to read arbitrary files on affected servers and extract sensitive data without requiring user interaction.

The vulnerabilities CVE-2026-22218 (arbitrary file read) and CVE-2026-22219 (server-side request forgery, or SSRF) pose significant risks to internet-facing AI systems deployed across enterprises, academic institutions, and production environments. Chainlit, which averages 700,000 monthly downloads on PyPI and over 5 million annual downloads, provides a web-based UI, authentication tools, and cloud deployment support, making it a common choice for AI-driven applications.

CVE-2026-22218 allows attackers to exploit the /project/element endpoint by submitting a malicious element with a manipulated path field, forcing the server to copy and expose any accessible file including API keys, cloud credentials, configuration files, and authentication secrets.

CVE-2026-22219, affecting deployments using SQLAlchemy, enables SSRF attacks by tricking the server into making unauthorized outbound requests to internal services. Attackers can then retrieve the fetched data, potentially accessing restricted internal IPs and services. Zafran Labs demonstrated that combining both flaws could lead to full-system compromise and lateral movement in cloud environments.

The vulnerabilities were reported to Chainlit maintainers on November 23, 2025, with an acknowledgment received on December 9, 2025. A patch was released on December 24, 2025, in Chainlit version 2.9.4, with subsequent updates (including 2.9.6) addressing the issues. Organizations using affected versions are advised to upgrade immediately.

Source: https://www.bleepingcomputer.com/news/security/chainlit-ai-framework-bugs-let-hackers-breach-cloud-environments/

Zafran Security cybersecurity rating report: https://www.rankiteo.com/company/zafran-security

"id": "ZAF1769037749",
"linkid": "zafran-security",
"type": "Vulnerability",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Enterprises, academic '
                                              'institutions, and production '
                                              'environments using affected '
                                              'versions',
                        'industry': 'AI/Software Development',
                        'name': 'Chainlit',
                        'type': 'Open-source framework'}],
 'attack_vector': ['Exploitation of vulnerable endpoints (/project/element)',
                   'Manipulated path field in API requests'],
 'data_breach': {'data_exfiltration': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['API keys',
                                              'Cloud credentials',
                                              'Configuration files',
                                              'Authentication secrets']},
 'date_detected': '2025-11-23',
 'date_resolved': '2025-12-24',
 'description': 'Researchers at Zafran Labs uncovered two high-severity '
                'vulnerabilities (CVE-2026-22218 and CVE-2026-22219) in the '
                'Chainlit framework, enabling attackers to read arbitrary '
                'files and perform SSRF attacks on affected servers. The flaws '
                'allow extraction of sensitive data, including API keys, cloud '
                'credentials, and configuration files, without user '
                'interaction, posing risks of full-system compromise and '
                'lateral movement in cloud environments.',
 'impact': {'data_compromised': ['API keys',
                                 'Cloud credentials',
                                 'Configuration files',
                                 'Authentication secrets'],
            'operational_impact': ['Potential full-system compromise',
                                   'Lateral movement in cloud environments'],
            'systems_affected': ['Internet-facing AI systems',
                                 'Cloud environments']},
 'investigation_status': 'Resolved',
 'post_incident_analysis': {'corrective_actions': ['Patch released to fix '
                                                   'CVE-2026-22218 and '
                                                   'CVE-2026-22219',
                                                   'Upgrade to Chainlit '
                                                   'version 2.9.4 or later'],
                            'root_causes': ['Vulnerable endpoint '
                                            '(/project/element)',
                                            'Insecure handling of path field '
                                            'in API requests',
                                            'Lack of input validation for SSRF '
                                            'attacks']},
 'recommendations': 'Organizations using affected versions of Chainlit are '
                    'advised to upgrade to version 2.9.4 or later immediately.',
 'references': [{'source': 'Zafran Labs'}],
 'response': {'remediation_measures': ['Patch released (Chainlit version 2.9.4 '
                                       'and subsequent updates)'],
              'third_party_assistance': 'Zafran Labs (researchers)'},
 'title': 'Critical Vulnerabilities in Chainlit Framework Expose AI Systems to '
          'Data Theft and Server Compromise',
 'type': ['Vulnerability Exploitation',
          'Data Theft',
          'Server-Side Request Forgery (SSRF)'],
 'vulnerability_exploited': ['CVE-2026-22218 (Arbitrary File Read)',
                             'CVE-2026-22219 (SSRF)']}