Two high-severity vulnerabilities in Chainlit, a popular open-source framework for building conversational AI applications, allow reading any file on the server and leaking sensitive information.
The issues, dubbed ‘ChainLeak’ and discovered by Zafran Labs researchers, can be exploited without user interaction and impact “internet-facing AI systems that are actively deployed across multiple industries, including large enterprises.”
The Chainlit AI app-building framework has an average of 700,000 monthly downloads on the PyPI registry and 5 million downloads per year.
It provides a ready-made web UI for chat-based AI parts, backend plumbing tools, and built-in support for authentication, session handling, and cloud deployment. It is typically used in enterprise deployments and academic institutions, and is found in internet-facing production systems.
The two security issues that Zafran researchers discovered are an arbitrary file read tracked as CVE-2026-22218, and a server-side request forgery (SSRF) tracked as CVE-2026-22219.
CVE-2026-22218 can be exploited via the /project/element endpoint and allows attackers to submit a custom element with a controlled ‘path’ field, forcing Chainlit to copy the file at that path into the attacker’s session without validation.
This results in attackers reading any file accessible to the Chainlit server, including sensitive information such as API keys, cloud account credentials, source code, internal configuration files, SQLite databases, and authentication secrets.
CVE-2026-22219 affects Chainlit deployments using the SQLAlchemy data layer, and is exploited by setting the ‘url’ field of a custom element, forcing the server to fetch the URL via an outbound GET request and storing the response.
Attackers may then retrieve the fetched data via element download endpoints, gaining access to internal REST services and probing internal IPs and services, the researchers say.
Zafran demonstrated that the two flaws can be combined into a single attack chain that enables full-system compromise and lateral movement in cloud environments.
The researchers notified the Chainlit maintainers about the flaws on November 23, 2025, and received an acknowledgment on December 9, 2025.
The vulnerabilities were fixed on December 24, 2025, with the release of Chainlit version 2.9.4.
Due to the severity and exploitation potential of CVE-2026-22218 and CVE-2026-22219, impacted organizations are recommended to upgrade to version 2.9.4 or later (the latest is 2.9.6) as soon as possible.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.