Zafran Labs uncovered two critical vulnerabilities in Chainlit, a popular open-source framework for building conversational AI apps.
Chainlit powers internet-facing AI systems in enterprises across industries, averaging 700,000 PyPI downloads monthly.
The flaws CVE-2026-22218 (arbitrary file read) and CVE-2026-22219 (SSRF) enable attackers to steal API keys, sensitive files, and cloud credentials without user interaction.
Zafran confirmed exploitation on real-world servers from major firms, launching Project DarkSide to probe AI infrastructure risks.
These issues hit Chainlit’s core: its UI/frontend layer for user chats and backend for AI orchestration with tools like LangChain, OpenAI, and AWS Bedrock.
Attackers authenticate, then exploit the /project/element PUT endpoint. Chainlit’s Element class mishandles custom elements, copying server files or fetching remote URLs blindly.
Technical Breakdown and Exploitation
CVE-2026-22218: Arbitrary File Read
Attackers send a custom element with a controlled path property. Chainlit’s persist_file copies any server-readable file to the attacker’s session directory, exposed via API.
Targets include /proc/self/environ for env vars like AWS_SECRET_KEY, CHAINLIT_AUTH_SECRET (for token forgery), and .chainlit/.langchain.db (leaking cross-tenant prompts in LangChain setups).
Source code like app.py reveals custom hooks; SQLite DBs dump user chats.
CVE-2026-22219: SSRF
In SQLAlchemy data layers, set url in a custom element. Chainlit fetches it via aiohttp, storing content for exfiltration via generated read URLs. Pairs with file read to probe internal services from leaked env vars or /etc/hosts.
On AWS EC2 with IMDSv1, hit http://169.254.169.254/latest/meta-data/iam/security-credentials/ for role creds, enabling lateral movement to buckets, secrets, and LLMs.
The chain starts with an auth bypass via forged tokens, escalates to cloud takeover. No privileges needed beyond session access.
Multi-tenant setups amplify risks, leaking all users’ LLM prompts/responses.
| CVE | CVSS (est.) | Type | Affected Endpoint | Key Targets |
|---|---|---|---|---|
| CVE-2026-22218 | 9.1 (Critical) | Arbitrary File Read | PUT /project/element (path prop) | /proc/self/environ, .langchain.db, app.py |
| CVE-2026-22219 | 8.8 (High) | SSRF | PUT /project/element (url prop) | Internal APIs, 169.254.169.254 (IMDSv1) |
IoCs
- Exposed Chainlit servers: Scan for
/chainlitpaths or WebSocket/wson ports 8000/3000. - Vuln versions: <2.9.4 (check headers/User-Agent for “Chainlit”).
- Traffic: PUT
/project/elementwith{"type":"custom","path":"..."}or{"type":"custom","url":"..."}. - Files:
.chainlit/.langchain.db, env leaks containingCHAINLIT_AUTH_SECRET. - Zafran Snort sig:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Chainleak - PUT /project/element"; content:"PUT"; http_method; content:"/project/element"; http_uri; depth:16;)
Mitigations
Upgrade to Chainlit 2.9.4 immediately. Use Zafran’s Components module or WAF rules. Block IMDSv1; enforce least-privilege IAM. Scan for exposed instances via Shodan/Censys.
Project DarkSide exposes AI stack risks, UI, agents, orchestration, and LLMs, where classic flaws chain into cloud breaches. As AI adoption surges, secure frameworks like Chainlit to block “dark side” attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.