Security researchers disclosed high-severity vulnerabilities in the open-source AI chatbot framework Chainlit in late 2025 that can leak cloud API keys and enable server-side request forgery. The flaws include two CVEs with CVSS scores 7.1 and 8.3 and the package has been downloaded about 7.3 million times to date.
KEY FACTS
- Incident vulnerabilities in the /project/element update flow
- CVEs CVE-2026-22218 arbitrary file read and CVE-2026-22219 SSRF
- Impact possible exfiltration of API keys and sensitive files
- Fix patched in version 2.9.4 on December 24, 2025
In a technical analysis, Zafran Security reported that the high-severity flaws collectively dubbed ChainLeak could be abused to leak cloud environment API keys, steal sensitive files, and perform SSRF against servers hosting AI applications.
CVE-2026-22218 is an arbitrary file read in the “/project/element” update flow that allows an authenticated attacker to access any file readable by the service because user-controller fields are not validated. CVE-2026-22219 is an SSRF in the same update flow when configured with a SQLAlchemy backend that can make arbitrary HTTP requests to internal services or cloud metadata endpoints and store the responses.
An attacker can read files such as /proc/self/environ to obtain API keys, credentials, and internal paths, or extract database files when SQLite is used as the data layer. The two vulnerabilities can be combined to escalate privileges and move laterally within a compromised environment.
Following responsible disclosure on November 23, 2025, the project addressed both vulnerabilities in the version 2.9.4 release published on December 24, 2025.
WHY IT MATTERS
The flaws allow attackers to extract credentials and internal data from servers running the framework, increasing risk for organizations that deploy the software without recent updates. Applying the patch or otherwise mitigating file-read and SSRF exposures reduces the immediate risk.