Vulnerabilities in Chainlit AI Framework Expose Data and Cloud Environments
Take action: Ensure all AI application frameworks are isolated from the internet and accessible only through trusted networks. If you are using Chainlit, plan an update to version 2.9.4 or later. In the meantime, isolate and control PUT requests to the /project/element endpoint.
Learn More
Chainlit, a popular open-source framework for building conversational AI applications, patched two security vulnerabilities that expose backend infrastructure to data theft and cloud takeovers.
These flaws, dubbed ChainLeak are an example of how traditional web weaknesses can compromise AI systems even when the models themselves are secure.
Vulnerabilities summary:
- CVE-2026-22218 (CVSS score 6.5) - Arbitrary file read via custom element manipulation. It allows authenticated attackers to manipulate custom elements to copy sensitive files from the server into their own user session. When integrated with LangChain, this flaw also permits attackers to leak private user prompts and responses stored in the local cache.
- CVE-2026-22219 (CVSS score 9.1) - Server-side request forgery (SSRF) affecting the SQLAlchemy data layer. Attackers can force the server to fetch data from arbitrary internal or external URLs. In cloud-connected environments, it allows attackers to probe internal APIs or access cloud metadata services, leading to the theft of IAM security tokens and other sensitive cloud credentials. For example, by reading the
/proc/self/environfile, attackers can steal API keys, database passwords, and authentication secrets likeCHAINLIT_AUTH_SECRET.
Chainlit released a patched version, version 2.9.4, on December 24, 2025. Administrators should update their systems. For those unable to patch right away, Zafran Research recommends applying web application firewall (WAF) rules to block PUT requests to the /project/element endpoint.
